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= Do not attempt to implement any of the settings in this guide without first 
testing in a non-operational environment. 


= =6This document is only a guide containing recommended security settings. It is not 
meant to replace well-structured policy or sound judgment. Furthermore this guide 
does not address site-specific configuration issues. Care must be taken when 
implementing this guide to address local operational and policy concerns. 
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= =6The security changes described in this document only apply to Microsoft Windows 
2000 systems and should not be applied to any other Windows 2000 versions or 
operating systems. 


= =6This document contains possible recommended settings for the system Registry. 
Windows 2000 System Internet Information Services 5.0 can be severely impaired or 
disabled with incorrect changes or accidental deletions when using a Registry editor 
(Regedt32.exe Or Regedit .exe) to change the system configuration. There is no 
“undo” command for deletions within the Registry. Registry editor prompts user to 
confirm the deletions if “Confirm on Delete” is selected from the options menu. When 
user deletes a key, the message does not include the name of the key being deleted. 
Check selection carefully before proceeding. 


= = =SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
EXPRESSLY DISCLAIMED. INNO EVENT SHALL THE CONTRIBUTORS BE 
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 





= §=This document is current as of August 1, 2000. This is a living document and 
revisions will be constant, the change control area will state modifications. See 
Microsoft's web page for the latest changes or modifications to the Windows 2000 
operating system and applications. 
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Introduction 


This document will describe how to securely install, configure, and administer the Internet 
Information Services 5.0 (IIS) and associated services. The focus of this document is 
security-relevant information pertaining to the installation and administration of Internet 
Information Services 5.0. This includes the secure configuration of FTP, WWW, SMTP 
and NNTP services as they relate to IIS 5.0. 
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This document is intended for the reader who is already familiar with the Internet 
Information Services but needs to understand how to install, configure, and administer 
the product in a more secure manner. The information presented here is written in a 
direct and concise manner in deference to this intended audience. 





While this document is intended as a complement to the Windows 2000 Security Guide, it 
presents the information differently. Some Internet Information Services security issues, 
and corresponding configuration and administrative actions are very specific to the way 
the product is being used. For this reason, it is difficult in some areas to recommend 
specific, concrete actions. Instead, a summary is offered which describes the concerns 
and recommends solutions that a user must tailor to his/her own environment. 
Recommendations will be noted at the end of each section in a bulleted list for ease of 
reading and implementation. 
6 WARNING: This guide does not address security issues for 
the Microsoft Windows 2000 operating system that are not 


specifically related to the Microsoft Internet Information 
Services 5.0 and its implementation. 


Summary of ITS Documentation 


| Document | ~CCoontents_ |S Target audience 





Guide to the Secure A detailed look at the secure |e Experienced NT/2000 
Configuration and Administration installation and configuration administrators who may 
of Internet Information Services of IIS 5.0 and it’s associated be new to IIS 

5.0 (This document) services 

Implementation of Digest e Adetailed look at the e Experienced NT/2000 
Authentication in Microsoft mechanisms used by Digest administrators 

Internet Information Server (IIS) Authentication 

Version 5.0 





PLEASE NOTE THAT THESE DOCUMENTS ASSUME THAT THE READER IS A 
KNOWLEDGEABLE WINDOWS 2000 ADMINISTRATOR. A knowledgeable Windows 
2000 administrator is defined as someone who can create and manage accounts and 
groups, understands how Windows 2000 performs access control, understands how to 
set account policies and user rights, is familiar with how to setup auditing and read audit 
logs, etc. These documents do not provide step-by-step instructions on how to perform 
these basic Windows 2000 administrative functions — it is assumed that the reader is 
capable of implementing basic instructions regarding Windows 2000 administration 
without the need for highly detailed instructions. 
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Getting the Most from this Guide 


The following list contains suggestions to successfully configure and administer Microsoft 
Internet Information Services 5.0: 


WARNING: This list does not address site-specific issues 
and every setting in this book should be tested on a non- 
operational network. 


Q Read the guide in its entirety. Omitting or deleting steps can potentially lead to 
an unstable system and/or network that will require reconfiguration and 
reinstallation of software. 


Q Perform pre-configuration recommendations: 


o Perform a complete backup of your system before implementing any of 
the recommendations in this guide 


Q Follow the security settings that are appropriate for your environment. 


Commonly Used Names 


Throughout this guide the network subnet 192.168.0 will be used in the examples, 
screenshots, and listings. 


the appropriate network subnet for the networks being 
secured. These names are not real networks and have been 


WARNING: It is extremely important to replace 192.168.0 with 
is used for demonstration purposes only. 
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Microsoft Internet Information Services 5.0 





This document consists of the following chapters: 


Chapter 1, “Internet Information Services Installation,” provides an overview of the 
pertinent security issues related to the installation of the Internet Information Services 
5.0. 


Chapter 2, “Internet Services Manager — Master Properties,” describes this IIS 5.0 
management tool, which is a Microsoft Management Console tool Snap-in. 


Chapter 3, “Services Installation and Administration,” describes configuration of the 
main functional components of IIS 5.0 and details the pertinent security-related settings 
(WWW, FTP, SMTP and NNTP). 


Chapter 4, “Additional Security Issues,” describes multiple administrator groups, IIS 
5.0 logging, a brief description of Certificates, and other miscellaneous items. 


Chapter 5, “Backup Procedures and Antiviral Precautions,” comments on backups 
and antiviral programs. 


Appendix A, “IIS 5.0 Security Configuration Tools,” contains information about the 
use of available tools to assisting in the configuration of IIS 5.0. 
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Appendix B, “Vulnerabilities,” contains information about IIS 5.0 vulnerabilities 
released to the public. 
Appendix C, “References,” contains a list of resources cited. 
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IIS security is tightly coupled to the operating system. For example, IIS logon can be 
coupled to the operating system logon so that a user does not have to log-on separately 


to IIS. 

File permissions, Registry settings, password usage, user rights, and other issues 
associated with Windows 2000 security have a direct impact on IIS security. 

The recommended source of information for how to securely configure the Windows 2000 
server and Professional is the Windows 2000 Security Guide. It is important to 
implement this guide on the IIS 5.0 machine. 
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Internet Information Services Installation 


Internet Information Services (IIS) is a high-speed web server used to publish and 
distribute WWW-based content to standard browsers. IIS 5.0 is only available for the 
Windows 2000 platform. IIS 5.0 is primarily intended for installation on a Windows 2000 
Server or Advanced Server and is not designed for use with any previous Microsoft 
operating system platforms. IIS 5.0 can run under the Windows 2000 Professional 
edition, however, it will be a scaled down version and functionality will be lost in the 
following areas: hosting multiple web sites, logging to an ODBC database, restricting 
access by IP address and process isolation. 


Version 5.0 provides the following publishing services: WWW, FTP, SMTP, and NNTP. 
Security issues relating to WWW, FTP, SMTP and NNTP will be discussed in detail in 
this document. Three additional application services are commonly associated with IIS - 
the certificate server, the index server, and Microsoft transaction server. Although these 
services can be installed at the same time as IIS 5.0 or later, the secure installation, 
configuration, and administration of these services will not be addressed in this 
document. Separate guidance is available for the certificate server on the same media 
containing this document. 


Operating System Security 


Install IIS 5.0 according to the manufacturer’s instructions; however, prior to 
implementing this guide, invoke the Windows 2000 operating system security guidelines 
contained within the Windows 2000 Security Guide. IIS 5.0 security is tightly coupled to 
the operating system. File permissions, registry settings, password usage, user rights, 
and other issues associated with Windows 2000 security have a direct impact on IIS 5.0 
security. The advantages gained by this tight coupling are no increased complexity, 
possibly no security holes due to the addition of security layers, and better performance 
by eliminating unnecessary overhead caused by additional security and access control 
layers. The primary disadvantage is that poor OS security can often cause poor web 
security. 
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Prior to configuring IIS 5.0, determine how the server will be used. The configuration of 
IIS directories, files, user accounts and profiles, TCP/IP port connections, etc. will be 
based on your answers to the following questions: 


= Will the server be accessed from the Internet? 

= Will the server be accessed from an Intranet? 

= How many web sites will this server host? 

= Will separate web sites share any content? 

= Will the server permit anonymous or authenticated user access (or both)? 


= Will Secure Socket Layer (SSL) connections be supported? 
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Will the server be used only for web access via HTTP? 
Will the server support FTP services? 


Are there specific users that will need to copy, open, delete, and write files on your 
server? 


Wakes litelelelameleirel=iialsts 


When installing IIS 5.0, the following guidelines are recommended: 





Q 











Place the IIS machine where it will be physically secure; i.e., behind a locked door 
where only authorized personnel can gain physical access to it. 


If possible, install IIS on a server with its own domain and no trust links to other 
domains. 


Install IIS 5.0 on a standalone server, where possible. If IIS 5.0 is installed on a 
domain controller and the web server is attacked, the entire server and sensitive 
domain information may be at risk. Also, the added overhead of being a domain 
controller will also slow down the server’s ability to provide web services efficiently. 


Install IIS 5.0 on a server that is not required to support any other service. Neither 
application software nor development tools should be installed on the IIS 5.0 server. 


Partition the IIS machine so that published content of each supported service (WWW, 
FTP, etc.) is located on a separate partition or disk. This will prevent attempts to 
traverse up the directory tree beyond the published content root. 


IIS 5.0 does not allow the user to install the application anywhere except in the C 
partition (unless using unattended installation). It is integrated into the operating 
system functionality. Because of this, the default permissions applied to the 
%systemdrive%, typically C:\, by the Windows 2000 Security Guide may cause some 
services in IIS to not function properly. Care must be taken to ensure that operating 
system permissions do not interfere with the operation of the IIS Services. 


Remove all protocol stacks except TCP/IP, unless user’s Intranet requires another 
protocol stack. 


IP routing is disabled by default and should be left that way. If routing is enabled, it is 
possible to have data pass from user’s Intranet to the Internet. 


If access to the IIS 5.0 machine is required from the Internet, install it initially with all 
incoming traffic blocked at the router or firewall. After complete configuration, allow 
incoming traffic. This is recommended because once the main IIS installation has 
taken place, the services are active and connections can take place. This can cause 
a system compromise before there is time to configure the security of the web site(s). 


Installation of client for Microsoft networking is required for the HTTP, FTP, SMTP 
and NNTP services to run. If not installed the services will NOT be able to start 
automatically or manually. 


If SMTP of NNTP will be installed, the Server service will be required, thus, File and 


Print sharing for Microsoft networks must be installed. If it is not, the Server service 
will not show up in the available MS services. 
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The following is a list of services that are not required for most installations of IIS 5.0 and 
should be disabled. This list is not all inclusive of all possible services and will be 
dependant on the user’s implementation of the IIS server and its environment. 





Service Important Notes 
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ClipBook Server 





Computer Browser 





DHCP Client 
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Distributed File System 





Distributed Link Tracking Systems 











Client 
Distributed Link Tracking Systems 

Client 
FTP Publishing Service Disabled unless user’s require FTP services 
IPSEC policy agent Disabled unless IPSEC policies will be used 





Licensing Logging Service 





Logical Disk Manager Administrator 
Service 





Messenger 





Net Logon Disabled unless domain users are required to logon 
to the server, this service is required to 
communicate with the domain controller 





Network DDE 





Network DDE DSDM 





Print Spooler 





Remote Registry Service 





Removable Storage 




















RPC Locator Required if user is doing remote administration 

RunAs Service 

Server Service Must be started if server will run the SMTP or NNTP 
service of IIS, for administration purposes 

Task Scheduler 

TCP/IP NetBIOS Helper 

Telephony 





Windows Installer 





Windows Time 














Workstation Service Must be started if the server will be part of a domain 
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Post Installation 


During the installation of IIS, a default account is created for anonymous logons. The 
default name for this account is IUSR_computername, where computername is the name 
of the machine hosting IIS. This account should be given the least amount of privileges 
possible. Review the security settings for the IUSR_computername. Make sure User 
Cannot Change Password and Password Never Expires options are selected. This 
account should be a local account, not a domain-wide account, and must have the right 
to log on locally. It does not require the right to access this computer from the network, or 
log on as a batch job, which it does have by default. If anonymous access to the web site 
is prohibited, it is recommended that this account be disabled. All users would then be 
required to supply a valid username and password, using basic authentication, integrated 
Windows authentication or digest authentication for Windows domain servers to access 
server resources (discussed in more detail in Chapter 3). See Figure 1. 





IUSR_IIS5-SER¥ER Properties e 2) x] 


General Member Of | Profile | Dial-in | 


4 IUSR_IS5-SERVER 








Full name: Internet Guest Account 
Description: [Built-in account for anonymous access to Internet In 
[| User must change password) at next logon 


JV User cannot change password 
IV Password never expires 

[” Account is disabled 

[| Account is locked\aut 





Cancel | 


Figure 1 User Properties Sheet for Anonymous Account 








Note: The Windows 2000 Security Guide does not take into 
account the need for the IUSR_Computername account to be 
included in the log on locally user rights. Please make sure 
to modify the user rights security template if applying after 
the installation of IIS 5.0. 
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Groups for file, directory, administration purposes 


Create at least two new groups to be used with IIS. The “WebAdmins” group, for 
example, to define users who will administer WWW/FTP content. If the server will host 
several WWW/FTP sites, create an administrative group for each site. A “WebUsers” 
group should be created as the primary group for the IUSR_computername account. 
These groups will be used for setting NTFS permissions. The IUSR_computername 
account should not be a member of any other group. By default, the 
IUSR_computername account is a member of the Guests group. It is recommended that 
this account be removed from the Guests group and added to the WebUsers group. All 
accounts placed within the WebUsers group should ONLY be used for web site access 
and should not be a member of any other group, i.e., "Users" group. See Figure 2. You 
also may consider putting the IWAM_computername account in this group also. 
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IUSR_IIS5-SERVER Properties ae) zi x) 





General Member Of Profile | Dial-in | 


Member of: 
WebUsers 





Figure 2 |IUSR_computername as a member of WebUsers group ONLY 


Administering IIS with Multiple Groups 


IIS 4.0 allowed the creation of local groups to setup different administrative groups for the 
IIS services. In IIS 5.0 this paradigm has changed. Local groups can and should be 
created for different administrative groups. However, the difference is that local groups 
for the WWW and FTP services will only be used for NTFS permissions. The SMTP and 
NNTP services will allow the ability to set local groups as administrative operators for the 
IIS service, and the next few paragraphs will describe the benefit of doing so. It must be 
noted that if the IIS 5.0 server will participate in a Windows 2000 domain, the domain 
server’s local, global, and universal groups can be created and used for both the 
administration and NTFS permissions identified below. Because of the difference in the 
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local group functionality, user accounts should be used to identify administrative 
operators for the WWW and FTP services/sites unless utilizing domain groups. A public 
IIS server should not be a member of the internal domain and a segmented domain in the 
DMZ should not include a trust relationship to the internal domain. 


In order to simplify the assignment of administrative rights to the IIS Server, it is 
recommended that a separate Windows 2000 IIS Administrators Group(s)be established. 
It is strongly recommended that the user not use the Windows 2000 Administrator 
group, as it is not necessary to have Windows 2000 administrative rights to perform many 
IIS 5.0 administration functions. IIS administrative rights are assigned through the SMTP 
and NNTP (WWW and FTP if active in a domain) property dialog boxes by defining 
Service operators as described in Chapter 3. 


Having a separate IIS administration group offers several benefits. First, it precludes the 
need for IIS administrators to logon unnecessarily as a Windows 2000 administrator — 
something that should be avoided for security reasons. Second, it will allow the 
partitioning of administrative rights. For example, the right to reconfigure the IIS server to 
a select few (Windows 2000 administrators) can be reserved, while allowing several 
individuals to manage WWW and FTP content. For instance, users who are members of 
a web operators group could be given access to control what is made available to visitors 
to the site through the WWW and FTP data directories. They would not have access to 
configure the web server, i.e., add users and groups, etc. Windows 2000 administrators 
would retain that right. Finally, having separate IIS administrator groups for each site 
maintained by the server would simplify the process of managing administrative rights — 
adding a new administrator for a site is as simple as making them part of the appropriate 
group. 

This becomes very important when a server is used to manage several sites. As stated 
previously, an administrative group should be created for each web site. The members in 
these groups would be granted operator privileges to administer their own web site 
exclusively. This would allow the Windows 2000 administrators to maintain their server 
and manage their security risks more effectively by having as few Windows 2000 
administrators as possible and not permitting any one group total control over all sites on 
the server. 


The Default Install Directory 


After installing IIS 5.0, change the NTFS access permissions on the IIS install directories. 
It is particularly important to make certain that the “Everyone” and “Guests” group 
accounts, as well as the “Guest” user account, are not granted access by highlighting 
them and selecting the Remove button. By default, the group “Everyone” is given Full 
Control of the default publication directory (i.e., C:\Inetpub). These group and user 
accounts can be used by malicious users to gain access to systems. Removing them will 
prevent such users from using the server for data storage or staging an attack by placing 
malicious code on the server. Also, the Inetpub directory is installed by default in the C:\ 
directory (or %systemdrive% if not C). A new directory or the existing structure should be 
moved to another partition or drive, separating the accessible sites from the operating 
system location. It is advisable to change the name from Inetpub to something less 
obvious. 


IIS 5.0 can be installed in a custom location but only by utilizing an unattended 
installation, this is done by using an answer file. The answer file (ex. lis5.txt) will need to 
consist of the following: 


UNCLASSIFIED 


[Components ] 
iis_common = on 
iis_inetmgr = on 
iis_www = on 
iis_ftp = on 
iis_htmla = 
iis_doc = on 
i1is_pwmgr = on 
iis_smtp = on 
iis_smtp_docs = 
mts_core = on 
off 





msmq = 


[InternetServer] 


on 
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Path="{put your drive and install 


PathFTPRoot="{put your drive and install 


f£:\FTPROOT}” 





PathWWWRoot="{put your drive and install 


£:\WWWRoot}” 


location here, i.e. 





location here, 





location here, 





e:\iis5}” 


ave. 


se. 


Next the following command must be run to start the unattended installation from the 


command line: 


Sysocmgr/l:Y%windir%\infisysoc.inf /u:a:\iis5.txt 


For further information pertaining to unattended installation and other options please see 
the Upgrading to IIS 5; Installing IIS 5 to a Custom Location reference. 


Table 1 shows the recommended NTFS and IIS permissions for the IIS-related 


directories. 






































Type of Example Directories Data Examples NTFS File Permissions IIS 5.0 
Data Permissions 
Static Content \Inetpub\wwwroot\images HTML, images, FTP Administrators (Full Control) Read 
\Inetpub\wwwroot\nome downloads, etc. System (Full Control) 
\Inetpub\ftproot\ftpfiles WebAdmins (Read & Execute 
Write, Modify) 
Authenticated Users (Read & 
Execute) 
Anonymous (Read & Execute) 
FTP Uploads \Inetpub\ftproot\dropbox Directory used as a Administrators (Full Control) Write 
(if required) place for users to store | WebAdmins or FTPAdmins 
documents for review (Read & Execute, Write, Modify) 
prior to the Admin Specified Users (Write) 
making them available 
to everyone 
Script Files \Inetoub\wwwroot\scripts .ASP Administrators (Full Control) Scripts only 
System (Full Control) 
WebAdmins(Read & Execute, 
Write, Modify) 
Anonymous: special access 
(Execute) 
Other \WebScripts\executables .exe, .dll, .cmd, .pl Administrators (Full Control) Scripts only 
Executable and | \WebScripts\include .inc, .shtml, .shtm System (Full Control) Or 
11 
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Include Files WebAdmins (Read & Execute, Scripts and 
Write, Modify) Executables** 
Authenticated Users special 
access (Execute) *“(Depending on 
Anonymous: special access necessity) 
(Execute) 

Metabase \WINNT\system32\inetsrv MetaBase.bin Administrators (Full Control) N/A 
System (Full Control) 








Table 1 Permission Settings 
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Note: IIS permissions complement the NTFS permissions. 

For a file to be sent to the client browser for rendering, IIS 

Read permission must be set for the web directory, and the 
os user in whose context the service is running must have NTFS 
Read access to that file. If they do not match, the most 
restrictive permission will be enforced. 








tab: granular access to all potential file permissions. 
Modifications to larger web sites using this method can 


3 WARNING: Advanced tab under the NTFS security property 
cause difficult trouble shooting problems in the future. 


Chapter 3 will describe in detail IIS permissions and other security settings for the IIS 
services. 


Establish directories that contain read only files (HTML, images, files made available for 
FTP download, and other such files). Each type should have its own directory with ONLY 
Read (NTFS and IIS 5.0) permission for file access allowed to the WebUsers group. 
Grant Read & Execute, Write, and Modify file access permissions to the group 
responsible for maintaining web content (i.e., WebAdmins). 


Establish directories that contain executable files only (scripts, batch files, and other 
executables). These directories should ONLY have NTFS Traverse Folder / Execute 
File for users accessing your site (i.e., IUSR_computername, WebUsers) and IIS 
permission of Scripts Only. IIS 5.0 Scripts and Executables permission should only be 
allowed on directories where appropriate, i.e., a directory containing binary files that must 
be executed by the web server. Scripts and Executables is additional access control 
permissions offered by IIS 5.0. These options will be discussed in detail in Chapter 3. 


Delete or move all directories that contain “samples” and any scripts used to execute the 
“samples”. The following is a list of directories created during the installation of IIS. It is 
recommended that these directories be deleted or relocated. If there is a requirement to 
maintain these directories at the site for training purposes, etc., have NTFS permissions 
set to only allow access to authorized users, i.e., WebAdmins and administrators. See 
Chapter 4 for more complete information about samples. Also, to control access to these 
directories through WWW, require Integrated Windows authentication through the Web 
Site Properties dialog box (Chapter 3 describes how to configure this setting). 


™ \InetPub\iissamples 


= \InetPub\AdminScripts 
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IIS Services 


There are four potential services that can be offered by installing IIS 5.0. Those four 
services are World Wide Web (WWW), File Transfer Protocol (FTP), Simple Mail 
Transfer Protocol (SMTP) and Network News Transfer Protocol (NNTP). 


WWW - Service necessary to build a web server and serve web pages to clients. 
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FTP — Service necessary to allow users to FTP to the server to obtain or upload files. 


SMTP — Service necessary to allow the web server to send and receive Email to clients 
in response to forms or perhaps shopping cart programs (if required). 


NNTP — Service necessary to host a USENET style news server. 


x4; Services 

















fees 
[ Action view |- > | alm le Bea ||> su» 
Tree | Description [Status | Startup Type__| Logon As _ || 














Remote Access Connection Manager Creates a network connect... Manual LocalSystem 
Remote Procedure Call (RPC) Provides the endpoint map... Started Automatic LocalSystem 
Remote Procedure Call (RPC) Locator Manages the RPC name se... Manual LocalSystem 
Remote Registry Service 4llows remote registry man... Started Automatic LocalSystem 
Removable Storage Manages removable media,... Started Automatic LocalSystem 
Routing and Remote Access Offers routing services to... Disabled LocalSystem 
Ry Runds Service Enables starting processes... Started Automatic LocalSystem 
Security Accounts Manager Stores security information... Started Automatic LocalSystem { 


Services (Local) 












Bs Server Provides RPC support and... Started Automatic LocalSystem 
Bs Simple Mail Transport Protocol (SMTP) Transports electronic mail a... Started Automatic LocalSystem 
SB Smart Card Manages and controls acce... Manual LocalSystem 
Sq Smart Card Helper Provides support for legac... Manual LocalSystem 
Ss System Event Notification Tracks system events such... Started Automatic LocalSystem 
a Task Scheduler Started 








v 


Frables a nranram tn rina... Automatic LocalSyvstam 








Figure 3 Service Tool from Administrative Tools 
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During the installation the administrator has the ability to turn off (deselect) the services 
that they do not wish to install. After installation, any of the services can be turned off in 
the case that they are no longer needed. 


To deselect services: 
e From the start menu, click Programs > Administrative Tools > Services 


e Highlight the service that needs to be turned off, right-click mouse, choose stop to 
turn off the service 


e To ensure that it will not restart upon rebooting, right-click the service and choose 
Properties. In the Startup type drop down menu change the service from “Automatic” 
to “Manual” or “Disabled”. See Figure 4: 


Simple Mail Transport Protocol (SMTP) Properties (Local Compania je.4| 





General Log On| Recovery | Dependencies | 


Service name: SMTPSYC 


Display name: [Simple Mail Transport Protocol (SMTP) 
Description: [Transports electronic mail across the network 


Path to executable: 





CAWINNT\System32\inetsry\inetinfo. exe 


Startup type: [Automatic ba 


Automatic 






Manual 
Disabled 





Service status: 


Start | Stop | Pause | 


‘You can specify the start parameters that apply when you start the service 
from here. 


Start parameters 





Cancel Apply 


Figure 4 Sample Disabling of SMTP Service from Services Tool 





Securing the Metabase 


This information is taken from the Internet Information Server Version 4.0 Security 
Assessment document written by Kenneth G. Jones of the MITRE Corporation. Refer to 
this document if a more detailed explanation is required. 
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Purpose 
The metabase stores IIS configuration parameter values in a fast-access, memory-resident 


data store. The Metabase is specifically designed for use with IIS and is faster, more flexible, 
and more expandable than the Windows 2000 Registry. 


Structure 
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Each node in the metabase structure is called a key, and may contain one or more IIS 
configuration values called metabase properties. The IIS metabase keys correspond to the 
components and capabilities of IIS, and each key contains properties that affect the 
configuration of its associated component or capability. The metabase is organized in a 
hierarchical structure that mirrors the structure of IIS as installed. Most of the IIS 
configuration keys and values stored in the system Registry for previous versions of IIS are 
now stored as properties in the metabase. New keys and values have been added for finer 
and more flexible control of IIS. An advantage of this metabase structure is that it facilitates 
assigning different settings of a property for different instances of the same key. For 
example, the MaxBandwidth property specifies how much of the total bandwidth available to 
a server can be committed to web transactions. The metabase can now support a different 
MaxBandwidth setting for each web site. 
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Security 


The metabase is stored in a specially formatted disk file named MetaBase.bin, and is 
located in the \Winnt\system32\inetsrv directory. The metabase loads from disk when 
IIS starts, is stored to disk when IIS shuts down, and is saved periodically while IIS is running. 
It is important to protect this file from unauthorized access, although sensitive data is stored 
in a secure manner within the file. If the file is replaced with a fraudulent file, the operation of 
the web server can be compromised. If the file is replaced while the server is not running, any 
changes implemented in the file will be effective the next time the server is started. The 
effects caused by these changes can range from denial of service through unauthorized 
service being provided by the web server. It is recommended that this file be stored on an 
NTFS partition and use Windows 2000 security to protect it. The default permission settings 
for this file are System and Administrators Full Access. Limiting the access to System and 
local Administrators provides good security; therefore, there is no need to change or add to 
these settings. 


To reinforce access control to this file, it is recommended that this file be hidden from 
unauthorized users. Moving or renaming the file can accomplish this security measure. To 
relocate or rename the MetaBase file, IIS will need to be stopped, move or rename the file, 
and modify the Registry key 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetMgr\Parameters. Add a new 
REG_SZ value to this key named Metadata File to specify the new complete path of the 
Metabase file, including the drive letter and filename. This tells IIS where to find the file on 
startup. 
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Recommendation Checklist for Chapter 1: 


Implement Windows 2000 Security Guide 


Block all traffic to server before installation takes place (for Internet accessible 
server) 


Q Place IIS server in physically secure location 


Install IIS on stand alone 





Install only OS and required IIS 5.0 components (no applications or development 
tools) 


Q Create a new Inetpub root directory on separate drive or partition from OS and other 
programs. Use a name other than Inetpub to help counter potential attacks 


Q Remove all protocol stacks except TCP/IP 


Disable all non-required services 





IUSR_Computername account privileges 
o Select User cannot change password 
o Select Password Never Expires 
Q User rights 
o Grant Log on locally 
o Remove Log on as a batch service and Access this computer from the network 
If non-anonymous access: disable the |IUSR_Computername account 
Create local admin groups for each web site and populate with required accounts 


Create local group for WebUsers and include only the required accounts, including 
the IUSR_Computername account 


Remove IUSR_Computername from all other groups (i.e., guests, etc.) 


Remove all NTFS permissions from the Inetpub directory, and assign only required 
access groups and accounts (i.e., remove everyone, add WebUsers, WebAdmins, 
etc.) 


Q_ Establish logical directory structure (i.e., separate static content, html, asp, scripts, 
executables into different labeled directories) 


Set NTFS permission on directory structures as required 


Delete/move all sample directories and scripts that execute the samples 


Metabase 


Q Modify the metabase permissions and/or move it and change registry key 
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Internet Services Manager - Master Properties 
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The Microsoft Management Console (MMC) provides a user interface shell application 
called a console. Microsoft's objective is for all management functions to be accessible 
as subordinates within the management console. These processes are known as Snap- 
ins. MMC itself does not provide any management behavior, but it offers a common 
environment for Snap-ins. The result is that management/administrative control of the 
platform is centralized. A Snap-in for IIS, Internet Service Manager (ISM), is provided 
during installation. The ISM will be discussed in more detail later in this chapter. 


Each instance of a console and associated Snap-ins is commonly referred to as a tool. 
Any number of tools can be created. Once created, the console can be populated with 
existing Snap-ins or a new Snap-in may be created for a specific purpose. 
Administrators can create tools that host several Snap-ins and save these for later use or 
for sharing with subordinate administrators. The administrator can take advantage of the 
customization features by preparing consoles that perform only one task and use them to 
delegate responsibility to other, perhaps less experienced administrators. The console 
can be tailored to present only the menu choices the user needs to get the job done. For 
example, an administrator could create a new MMC console with the IIS Snap-in for web 
administrators to use to manage web resources. See Figure 5: 
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¢ Internet Information Services RS 
| action wow |] > | Eafe | est S| |) | ym | | 
[Description = State | HostHeader Name | IP Address | Port_| Status _| 


a) Default FTP Site Running * allUnassigned* 21 
@ Default Web Site Running * all Unassigned * 80 
& Administration Web Site Running * AllUnassigned* 2269 
P) X-Files Running * AllUnassigned* 8080 
Default SMTP Virtual Server Running * AllUnassigned* 25 
Default NNTP Virtual Server Running * AllUnassigned* 119 



















Tree 











3 Internet Information Services 
=) * iisS-server 

fe) Default FTP Site 

@ Default Web Site 

@ Administration Web Site 
® *-Files 

> Default SMTP Virtual Server 
ey Default NNTP Yirtual Server 
























2) 








Figure 5 Microsoft Management Console with the Internet Service Manager Snap-in 


In addition to the MMC, there is an HTML version of the ISM, which is capable of 
managing several aspects of IIS 5.0. The are also several areas not manageable with the 
HTML version which include server extensions for remote authoring, changes to 
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certificate mapping, and the SMTP and NNTP services. There are also some tasks that 
can more easily be performed using the ISM Snap-in. The HTML version is not easily 
customizable to allow delegated control over specific areas or sites. 


Remote HTML administration should only be allowed if necessary. It should only be 
allowed for the IIS server administrator, using one specific IP address through IP Address 
and Domain Name Restrictions (Chapter 3) in conjunction with SSL (Chapter 4) client 
side certificates (Chapter 4) and putting the specific local username in the (later in this 
Chapter) area of the administration site properties. Beyond this, it is recommended to 
limit any server administration to the local host using the ISM. The ability to add 
administrative operators will be described in the master properties section of this chapter. 


Master Properties 


In this section only the security related issues for the master properties of the services 
offered by IIS 5.0 will be discussed. Other security related features for all the services 
(WWW, FTP, SMTP and NNTP) will be identified and discussed in Chapter 3. 


Internet Service Manager 


When the IIS 5.0 Internet Service Manager (ISM) is started, an MMC console begins 
running and automatically loads the Internet Service Manager Snap-in. Under the 
property page there are two main information sheets, Internet Information Services 
(which is active by default) and Server Extensions. Clicking the appropriate tab can 
access either. On the IIS sheet, there are three main property dialog boxes general to IIS 
operation - Master Properties, Enable Bandwidth Throttling, and Computer MIME 
Map. Setting these general properties is very useful if the user understands that they will 
be creating a number of different web sites on their server. These properties will be 
automatically inherited by all web sites created on the server, which will save time when 
configuring each site. If some sites require different properties, they can be set during the 
configuration of each web site. 


Only the common settings that can be established through the Master Properties dialog 
box to enhance security will be discussed in this chapter. The next chapter will describe 
the property dialog boxes for configuring individual security settings of the WWW, FTP, 
SMTP and NNTP services using the ISM. 


To access the Master Properties dialog box: 
e Highlight the IIS server name in the ISM 
e From the Action pull-down menu, select Properties 


e Select the WWW or FTP service via the drop down menu and click the Edit 
button to configure Master Properties for the selected server. See Figure 6: 
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Internet Information Services | Server Extensions | 





Master Properties 
Edit the properties inherited by all sites created on this 
computer. 





Master Properties: 


ww! Service sé | Edit... | 


TT Enable Bandwidth Throttling 











Limit network bandwidth available for all Web and Fir sites on this 

Computer. 

Mavinum network use fi 024 Kb/s 
Computer MIME Map 





nN Configure the MIME types for all web 
as sites on this computer. Edit... | 











OK | Cancel | Apply Help | 





Figure 6 Master Property Dialog Box for IIS WWW/FTP Services 


WWW Service 


This master property dialog box is used to set default values used by all current or new 
sites on this server. If a value for a specific web site will change as a result of the values 
set on the Master Properties dialog box, the user will be prompted to select the items that 
should adopt the new settings. An item will remain unchanged if it is not selected. 
Changes made to a list-based property will replace the original setting, not merge with 
existing settings. Select Edit in master properties to configure common WWW site 
properties. The following shows the dialog boxes for setting common security-related 
properties using the Web Site, Operators, Home Directory and Directory Security tabs. 


NOTE: These same settings can be applied individually to 
the WWW, FTP, and SMTP services. Only the security related 
settings for the Master Web Site, FTP Site, Operators, Home 
Directory and Directory Security tabs are discussed here as 
Ce they contain the settings that are most likely to be 
universally applicable to the WWW and FTP services. 
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Web Site Tab - Enable Logging (See Figure 7) is selected by default and is the only 
security-related setting on this dialog box. Keeping the default setting will ensure logging 
is enabled for all web sites created on this server. This logging will keep track of many 
different information types, which will be discussed in Chapter 4. 





WWW Service Master Properties for iis5-server can i fee xd 


Documents | Directory Security | HTTP Headers | Custom Errors | Service | 
Web Site | Operators | Performance | ISAPI Filters | Home Directory | 


- ‘Web Site Identification 


Description: 















|P Address {All Unassigned] 
TEP Part [eo 

> Connections 
@ Unlimited 


© Limited To: 1.000 connections 
Connection Timeout: 600 seconds 


lV HTTP Keep-lives Enabled 








Iv Enable Logging 


Active log format: 


[wac Extended Log File Format 7] Properties... | 











Cancel | Apply | Help | 


Figure 7 Master Web Site Properties for WWW dialog box 





Operators Tab — See Figure 8. The WWW Service Master Properties Sheet allows the 
user to identify groups or accounts with the permission to perform some administrative 
functions for all of the WWW sites created on this server. When each site is configured, 
these groups/accounts will automatically be included and the user will have the option to 
remove them, as well as add other groups/accounts as appropriate for the site. If the 
server is responsible for maintaining several web sites, create a separate group to 
manage WWW content for each site. IIS 5.0 does not allow user created local groups to 
be included in the Operators sheet for WWW or FTP sites. This rule also applies to the 
specific WWW/FTP site properties, not just the master sheet. 
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WWW Service Master Properties for iis5-server ; a 3 ih Xx 





Documents | Directory Security | HTTP Headers | Custom Errors | Service | 
Web Site Operators Performance | ISAPI Filters | Home Directory | 













Web Site Operators 
Grant operator privileges on this Web Site only to these Windows User 
Accounts. 
Dperators: Fa Administatats ad Add... 






Remove 











Cancel | 





Help | 





Figure 8 Master WWW Operators Dialog Box 


Home Directory Tab — See Figure 9. The master properties of the WWW server is a 
good place to set all the sites to log visits. The logging will ensure that all sites, which are 
added later, will, by default, be logging the visits to the site. Logging is the baseline for 
detecting intrusive behavior on target systems. By setting this here, the administrator will 
not need to set it for each site that is created during the life of the server. The Read, 
Write and Directory browsing permissions should be left unset. For each site that is 
created, these options can be set as required. 


= Read setting - gives permissions for visitors to see the sites. 


= Write setting - gives permissions to write to the directories where the sites were 
installed. 


= Directory browsing setting - gives the user the ability to see a listing of all the files ina 
particular directory. 


The recommendation here is to disable the Read, Write and Directory browsing 
permissions in the master properties, by NOT selecting them. This will be addressed 
further in Chapter 3 with the site settings. 


Finally, on the Home Directory tab is the execute permissions drop down box. The 
recommended setting is “None” which will preclude visitors from being able to run scripts 
or executables by default. These settings can be modified as necessary for each 
individual site, but using “None” as the default will help preclude unintentionally assigning 
execute permissions where they were not intended. 
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Documents | Directory Security | HTTP Headers | Custom Errors | Service | 
Web Site | Operators | Performance | ISAPI Filters Home Directory 


When connecting to this resource, the content should come froni 











Local Patt 

[| Script source access I Log visits 

|" Read T Index this resource 
T Write 


I Directory browsing 





Application Settings 


Application name: 


Starting point <Web Master Properties> 
Configuration... | 
Execute Permissions: & None 2 
Unload | 








Application Protection 











OK | Cancel | Apply | Help | 


Figure 9 WWW Home Directory Master Properties 


Directory Security Tab — See Figure 10. The authentication methods used on the web 
site(s) are very important in identifying the users and controlling access to specific files, 
directories, and scripts or executables. The authentication will depend on whether the site 
is used in an intranet or on the Internet. To get to the Authentication Methods sheet, 
select Edit from the “Anonymous access and authentications control” area of the 
Directory Security tab of the WWW master properties sheet. The Anonymous Access 
option will either grant or deny access to all sites on the server by default. If this site will 
be used in an intranet and the internal network is a Windows based network, anonymous 
access should be disabled. This will allow logging and access control by specific user 
accounts. If a specific web site needs anonymous access it can be enabled during 
individual web site setup. If this server will be accessible to the Internet and most of the 
hosted web sites will allow anonymous access, then enabling anonymous access here 
makes sense. 


In addition to anonymous access, three other authentication mechanisms are available: 


= Basic authentication allows the username and password to traverse the 
Internet/network in cleartext. This can allow an intruder to capture valid accounts to 
attempt to break into the site. (Use of basic authentication with SSL will protect 
against this threat as discussed in Chapter 4) 


= Digest authentication for Windows domain servers is similar to Basic authentication, 
except, instead of using cleartext usernames and passwords, it passes a hash of the 
password in order to provide more secure authentication. Digest authentication is 
only usable with HTTP 1.1 compliant browsers (currently only IE5). The IIS 5.0 server 
must be in a Windows 2000 domain and the user passwords must be stored in plain 
text files on the domain controller (There is an option in user account properties for 
managing user accounts in a domain on the domain controller). Therefore, the 
domain controller must be secured (Refer to the Windows 2000 Security Guide). 
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= =6The integrated windows authentication option is the same as Windows NT 
Challenge/Response in IIS 4.0. Integrated Windows authentication can only be used 
with the MS Internet Explorer (IE) web browser. 


See Chapter 3 for a more detailed explanation of the authentication methods. The 
recommendation is to use the authentication method that will meet the needs of your site 
policy. Because of the wide variety of uses a more explicit recommendation is not 
possible. 
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No user name/password required to access this resource. 


Account used for anonymous access: Edit... 


Authenticated access 


For the following authentication methods, user name and password are 
required when 

- anonymous access is disabled, or 

- access is restricted using NTFS access control lists 
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|” Basic authentication (password is sent in clear text] 


Select a default domain: Edit 


J Digest authentication for Windows domain servers 


JV Integrated Windows authentication 


OK Cancel | Help 











Figure 10 Authentication Methods Properties from Directory Security Tab 


The FTP master property sheet has fewer options to offer than for the WWW service. To 
get to the FTP master property sheet, simply use the drop down box on the IIS-Server 
Properties sheet to select FTP Service and click Edit. 


FTP Site Tab — See Figure 11. It is recommended that logging be enabled in this 
section of the property sheets for ease of administration later and to ensure that logging 
is not forgotten as sites are added. Depending on the type of FTP service allowed, the 
number of connections allowed and inactivity timeout can be set in this section. This will 
allow better control of potential Denial of Service (DoS) attacks and server resource 
consumption. 
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FTP Service Master Properties for iis5-server ( “3 | i xi 


Home Directory | Directory Security | Service | 
FTP Site Security Accounts | Messages | 
Identification 





Description: 


|P- Address [All Unassigned) 


TEP Part [21 


> Connection 
© Unlimited 


(* Limited To: 500 connections 
Connection Timeout: 600) seconds 


—]¥ Enable Logging 

















Active log format: 


[wae Extended Log File Format aa Properties... | 














Cancel | Apply | Help | 


Figure 11 FTP Site Master Properties Sheet 


Security Accounts Tab — See Figure 12. Similar to that of the WWW service 
properties, anonymous access to the FTP service can be set here. Again, if this FTP 
server will be accessible by the Internet and anonymous access will be allowed, it is 
recommended to set that here. Also remember that the individual sites can override this 
setting, this is just blanket coverage for adding sites or changing all existing sites for a 
security or policy reason. 


WARNING: FTP passwords are sent in cleartext if a user 
logs in with their Windows 2000 account. 


It is recommended to select the Allow only anonymous connections option here to 
preclude password compromise. The Allow IIS to control password option is the same as 
the Enable automatic password synchronization option in IIS 4.0. This will allow 
synchronization of the password in this property sheet with that in the Computer 
Management snap-in to control user and group accounts. However, the 
IUSR_computername account should be on the local machine with which IIS is installed. 
This is the default and should not be changed. A Windows domain username and 
password should never be used for FTP. The second section of the sheet allows the 
identification of FTP site operators. The identification of groups or accounts with the 
permission to perform some administrative functions for all of the FTP sites created on 
this server is specified here. When each site is configured, these groups/accounts will 
automatically be included. The user will have the option to remove them, as well as add 
other groups/accounts as appropriate for the site. If the server is responsible for 
maintaining several FTP sites, create a separate group to manage FTP content for each 
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site. IIS 5.0 does not allow user created local groups to be included in the operators 
sheet for WWW or FTP sites. This rule also applies to the specific WWW/FTP site 
properties, not just the master sheet. 





FTP Service Master Properties for iis5-server ai xi 
Home Directory | Directory Security | Service | 
FTP Site Security Accounts | Messages | 





Jv Allow Anonymous Connections 


Select the Windows User Account to use for anonymous access to this resource 


Username: [lUSR_ISS-SERVER Browse... | 
Word j 


JV Allow only anonymous connections 


Passo 


IV Allow IIS to control password 








FTP Site Operators 
Grant operator privileges to Windows User Accounts for this FTP site only. 


Operators: Administrators 














Cancel | Apply | Help | 


Figure 12 Security Accounts for FTP Master Properties 


Home Directory Tab — See Figure 13. This area only has one security related option, 
Log visits. Unlike some of the other options that depend on the server implementations, 
this option should always be enabled from a security standpoint. It is recommended that 
the Log visits option be enabled on this master property sheet. Logging is essential in 
identifying intrusive behavior, in reconstructing the attack, identifying the extent of the 
damage done, as well as collecting valuable information to prosecute if legal proceedings 
may occur. Log visits, along with the logging feature identified on the FTP Site tab, 
should always be selected. 
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Figure 13 Choosing Log Visits on Home Directory Tab for FTP Master Properties 


Directory Security Tab — See Figure 14. 


TCP/IP Access Restrictions — This can be used to grant or deny access to all computer 
systems, except those included in the list identified. Again, depending on the use of the 
server, different options will be required. If the FTP server is intended to be accessible by 
the Internet, or the entire intranet, then administrator will want to grant access to all 
computers by default. If the server will have a specific user base and the user base does 
not have dynamically assigned addresses, deny all access and specifically identify 
allowed computers or groups of computers. Again, this is for mass coverage, and the 
individual site administrators can modify this to satisfy their own site security 
requirements. 
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Figure 14 Directory Security for FTP Master Properties 


Server Property Server Extensions 


The second section of the server’s master properties is the Server Extensions tab (See 
Figure 15). IIS 5.0 allows remote authoring. These features are for the FrontPage 
product. Remote authoring allows an author to make changes to a web page and upload 
it to the server remotely. This poses a critical security issue. This tab allows high level 
defaults to be set for the remote authoring capabilities of the IIS 5.0 web sites. The 
options of concern on this property sheet are in the “Permissions” section at the bottom. 
The default permission is NOT to log authoring actions and NOT to require SSL. It is 
strongly recommended to select Log authoring actions, Require SSL for authoring and 
Manage permissions manually. 


=™ Log authoring actions - generates audit trails when someone uploads new pages for 
a web site. The audit information includes the time an author’s action was performed, 
the author’s user name, the web name, the remote host, and per-operation data. 


™ Manage permissions manually — disables the security-setting functions of FrontPage 
Server Extensions administrative tools (Such as the FrontPage MMC snap-in), so that 
those tools cannot be used to modify the security settings of the selected web. To 
make sure that neither the administrator nor anyone else accidentally overwrites 
custom permissions, disable permissions in front page by checking this box. 


™ Require SSL for authoring - will force authoring to be done over the SSL protocol, 
thus the communications will be encrypted. The ability to turn off authoring will be 
discussed in Chapter 3, individual site properties. 
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= Allow authors to upload executables - allows the administrator or possibly the intruder 
to upload scripts or executables to the web server for execution. This option should 
be left disabled. 
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Figure 15 Server Extensions for Web Server 
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WWW Master Properties 
Web Site Tab 


O Ensure Enable logging is selected 


Home Directory Tab 


— zg se\deyo 


QO Disable (uncheck) Read, Write, Directory browsing options 
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O Ensure Log visits is selected 
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O Ensure None is selected for the Execute Permissions drop down box 





Directory Security Tab 





OQ If any site hosted by this server will NOT allow Anonymous access, Disable 
(uncheck) Anonymous access, under Authentication methods and select appropriate 
authentication method 


FTP Master Properties 
FTP Site Tab 


Q Set appropriate number of connections for max users on FTP server 
O Set maximum seconds for timeout (inactivity), 600 seconds is reasonable 
O Ensure Enable logging is selected 


Security Accounts Tab 





O Ensure Allow Anonymous Connections is selected 
Q Select Allow only anonymous connections 
Home Directory Tab 


Q Ensure Log visits is selected 


Server Extensions Master Properties 
QO Ensure Log authoring actions is selected 


Ensure Require SSL for authoring is selected 





oO 
Q Ensure manage permissions manually is selected 
Q Ensure Allow authors to upload executable is DISABLED (UNCHECKED) 
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Services Installation and Administration 


This chapter contains configuration and administration information pertaining to WWW, 
FTP, SMTP and NNTP services of IIS. Prior to detailing the security related installation 
and administration information for each service, a brief overview of the access control 
methods common to all the services is provided. 


Access Control Methods 





IP address grant/deny restrictions 


The first line of defense in the IIS security model is the ability to grant or deny access to the web 
server based on IP address or Internet domain name of the requesting client. An Internet domain or 
IP address of certain machines can be specified and either granted or denied access to the web 
server. When any packet of data is received, its source IP address or domain name is checked 
against those defined in the “IP Address and Domain Name Restrictions” area of the Directory 
Security tab of the WWW Service property dialog box, and the predefined actions for access are 
applied to it. When using IP address access control, note that some web clients may be accessing 
your server through a proxy server or firewall. When this happens, the IP address of the incoming 
packets will be that of the proxy server or firewall itself, not of the actual user’s client machine. Steps 
to configure this option for each service are described later in this chapter. 


Secure Sockets Layer (SSL) 


SSL provides privacy, integrity, and authentication in a_ private point-to-point 
communications channel. Chapter 4 provides a description for the use of certificates in 
this environment. 


Client and Server Digital Signatures 


Digital signatures are used both to verify the identity of a user or server and for web 
servers and browsers to provide mutual authentication, confidentiality of the pages 
transferred, and integrity of the information in them. More detail can be found in Chapter 
4. 


Identification and Authentication 


Four options are available in IIS to identify and authenticate users. See Figure 16: 
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Authentication Meth rd Seas, x 





dv Anonymous access 


No user name/password required to access this resource. 


Account used for anonymous access: Edit... 


Authenticated access 








For the following authentication methods, user name and password are 
required when 

- anonymous access is disabled, or 

- access is restricted using NTFS access control lists 
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| Basic authentication (password is sent in clear text] 


Select a default domain: Edit 


[ Digest authentication for Windows domain servers 





JV Integrated Windows authentication 


OK | Cancel | Help 











Figure 16 Authentication Methods Dialog Box 


Anonymous Access 


This is the method most often used when accessing a web server. By default, IIS creates 
the account IUSR_computername and IWAM_computername, which is granted local 
logon (log on locally), access this computer from the network, and log on as a 
batch job user rights. Whenever an attempt to access server resources over the web is 
made, the user is automatically logged on using this account. The user can then only 
access resources based on the privileges granted to this anonymous account. The 
account name used for this purpose can be changed using the Edit button. It is also 
recommended that the log on as a batch job and access this computer from the 
network rights be removed if the site will not require them. 


Note: Whenever the IIS service is stopped and restarted or 
the system is rebooted, the log on as a batch job and access 
this computer from the network rights are restored for the 
= IUSR_computername and IWAM_computername account. 





Workaround: If it is insisted that the IUSR_computername 

account does not have the log on as a batch job and access 

this computer from the network rights the following can be 

done to prevent this. Create a new local user account and 

change the IIS 5.0 default anonymous account under 

po Anonymous access and authentication control section of the 
Directory Security Tab of the WWW service or the Security 
Accounts Tab of the FTP Service. After that is assigned, 
delete the |IUSR_computername account. 





Note: The OS guide makes changes to remove user accounts 
from log on as a batch job and access this computer from 
the network user rights. However as the note above states, it 
is added back after a restart. 
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Basic Authentication 


Almost every web browser on the market supports this. Basic authentication sends the 
user name and password in clear text, which can be stolen by any person with the ability 
to monitor the traffic. If the site requires the use of Basic authentication, it is 
recommended SSL be implemented as well. The combination will help maintain access 
control to sensitive data without risking logon information being intercepted. 


To setup Basic authentication with SSL, perform the following steps: 
= Obtain a Server Certificate (Details in Chapter 4) 
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™ Require secure channel when accessing this resource (Details in Chapter 4) 
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=™ Enable Basic authentication and disable Anonymous and Integrated Windows 
authentication for this site (details on configuring these options can be found later in 
this chapter) 





Digest Authentication For Windows Domain Servers 


This offers the same features as Basic authentication but involves a different way of 
transmitting the authentication credentials. The server will send some information to the 
client, which will combine that with the username and password, add some other 
information, and compute a hash. That hash is sent to the server, along with the 
additional information in cleartext. The server will then take the data, combine it with the 
username and password and obtain a hash. If the hashes match, the user is 
authenticated. 


When enabling Digest authentication and disabling all other methods, a pop up box will 
appear stating that user account passwords are required to be stored using reversible 
encryption. It does not however, tell the administrator that they must explicitly enable a 
password policy to allow this to occur. Until the password policy is enabled, in effect and 
invoked, Digest authentication does not work. To enable this, use the Windows 2000 
group policy editor snap-in. Under Computer Configuration->Windows Settings->Security 
Settings->Account Policies->Password Policy, there is a Policy of “Store Passwords 
using reversible encryption for all users in the domain’, which is disabled by default. 
Enable this setting and the next time the user changes their password, or a new account 
is created, the password will be stored using reversible encryption. 


The Digest Authentication RFC readily admits that it is not a strong authentication 
mechanism and suffers from many known weaknesses. It is intended only as a 
replacement for much weaker and even more dangerous authentication mechanisms: 
Basic Authentication. The RFC has an entire section on security considerations, which 
does a pretty good job describing the protocol’s major weaknesses, so they are not 
repeated here. Security considerations addressed in the RFC include: 


e Replay Attacks 

e Maan in the Middle Attacks 
¢ Spoofing 

e Password Storage 

e Passive Dictionary Attacks 


e Active Dictionary Attacks 
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Most of these security weaknesses are inherent in the protocol, consequently, Microsoft 
is not able to implement countermeasures and remain compliant. For a more thorough 
explanation on how Digest authentication works, see the MS IIS 5.0 online 
documentation or Implementation of Digest Authentication in Microsoft Internet 
Information Server (IIS) Version 5.0. 


Note: digest authentication is only supported in HTTP 1.1 
compatible browsers but has the advantage of working 
through firewalls and proxy servers (unlike NTLM 
authentication as discussed below). The IIS 5.0 server must 
= belong to a Windows 2000 domain for this option to function. 
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Integrated Windows Authentication 
(formerly called NTLM or Windows NT Challenge/Response) 


This is a method for authenticating users that avoids placing a clear text password on the 
network. A cryptographic technique using hashing is used to authenticate the password. 
The actual username and password are never sent across the network, so it is 
impossible for it to be captured by an unauthenticated source. This authentication can 
use both the Kerberos v5 authentication protocol and its own challenge/response 
authentication protocol. Only clients with the MS IE browser can use this method of 
authentication. This option also does not work well on a secure extranet because it 
cannot operate over a proxy server or any other type of firewall application. It is, however, 
an excellent choice for secure intranets. 


IIS can be configured to allow any combination of authentication scheme and anonymous 
access, allowing a web site to contain both secure and non-secure portions. When an 
authentication scheme is used in conjunction with anonymous access, the user is always 
initially logged on using the anonymous account (IUSR_computername). When a request 
fails due to the account having insufficient access rights to a resource, a response is sent 
to the client web browser indicating that the user doesn’t have the required access. 
Returned with this information is a list of the various authentication schemes supported 
by the server. The client web browser responds by prompting the user for a name and 
password. The browser then traverses the list until it finds an authentication scheme that 
it supports. It then resubmits the original request to the server, this time with the newly 
entered username and password using the selected authentication scheme. If 
Anonymous access is not selected as an option, one of the other two options must be 
selected. 


Directory Management 


In addition to the file and directory permissions established at the operating system level, 
described in Chapter 1, IIS 5.0 introduces application level permissions. “Read”, “Write”, 


“Directory Browsing”, “Scripts only” and “Scripts and executables” are available access 
permissions for directories containing WWW and FTP content. 


= Read permission - allows the contents to be viewed and passed to the client browser 
for rendering. 


=™ Write permission - enables clients with browsers that support the “PUT” feature of the 
HTTP 1.1 protocol standard to upload files to the server or to change the content in a 
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write-enabled file. This is generally not granted unless the administrator has a very 
specific need to make this type of access available. 


= Directory browsing - allows a client to view all the files in a directory. Unless this is a 
public FTP server this option should be disabled. 


™ Scripts - restricts execution to scripts only, which is necessary if you are using ASP 
or CGI type programs. The file extensions for these scripts must be previously 
mapped to scripting applications (such as Perl and ASP). 


= Scripts and Executables - allows the execution of not only ASP, CGI and other 
scripting languages, but it also allows EXE and DLL programs to run. This is a very 
dangerous feature and is NOT recommended unless absolutely required and 
appropriate permissions set. This in combination with the write privilege can lead toa 
compromised server very quickly. 


UOI}es|SIUIIPY 


ep) 
io) 
2 
= 
Q 
4) 
) 
=} 
a 
a 
a 
o 
=a 
fe) 
=| 
i) 
5 
jos 





These permissions are set through the WWW and FTP site properties dialog boxes. 
Images of the web site properties and FTP site properties are shown under the Figure 
19 Web Site Home Directory Default Properties 


and Figure 30 FTP - Home Directory Tab headings. 


Note: These access controls complement the NTFS access 
controls. For a file to be sent to the client browser for 
rendering, the web directory has to permit IIS Read access 


and the user, in whose context the services is running, must 

have NTFS Read permission for the file. It is important to 
we remember that NTFS access controls and IIS access controls 
are combined through a logical and to produce a composite 
set of permissions. For example, a user granted NTFS Read 
access to the ftproot directory, and Read and Write to the ftp 
home (ftproot) directory through IIS would result in the most 
restrictive set of permissions (Read ONLY access to the 
ftproot directory). 





Ability to Implement Restrictions on Virtual Servers and Directories 


Virtual servers allows configuration of one computer running IIS to support several 
domain names (or web sites). When setting up a virtual server, either Host Header 
Names (HHN) or IP addresses are needed for the primary server and for each virtual 
server to be created. This makes the installation look like several web servers when 
viewed from the Internet, when only one copy of IIS is actually running, with possibly only 
one network card (using HHN’s). 


IIS allows the administrator to supply an alias for directory paths that contain information 
to be published. This alias is commonly referred to as a virtual directory and is used in 
URLs. As far as visitors to the site are concerned, virtual directories are subdirectories 
branching from the main /wwwroot directory. Security is enhanced with virtual directories 
because it adds another level of abstraction to the site, altering the way in which Internet 
users access the information. Read, Write, Directory Browsing, Scripts only, and Scripts 
and executables are IIS 5.0 permissions, which can be applied to a virtual directory and 
all of the files and folders contained within it. Read permission allows a client to download 
files stored in a virtual directory or subdirectory. Only directories that contain information 
to be published or downloaded should have Read permission set. To prevent clients from 
downloading executable files or scripts, it is recommended that they be located in 
separate directories without Read permission. Instead, these virtual directories should 
have Scripts only or Scripts and executables permission so web clients can run them. 
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Note: If Read permission is also enabled, users may be able 
to look at the information contained within your scripts, 
some of which may be sensitive (i.e., passwords). 

Ce 








Summary of Web Server Configuration Issues 


The following summarizes key areas to consider when configuring your web server: 


™ Decide how access is to be controlled on your web site and set restrictions based on 
IP address/groups or Internet domains. 


= Determine if SSL and Certificates are required in your environment. 


= Select an authentication method. Anonymous access is the most common method. 
Do not use Basic authentication unless your site implements SSL. 


=™ Create directories with Read only NTFS permission for the WebUsers group. These 
directories will also be assigned IIS 5.0 Read only permission during the WWW/FTP 
site setups. These directories will store the data that is to be made available to client 
browsers for viewing or downloading only. 


= Create a directory with Read & Execute NTFS permission only for the WebUsers 
group. This directory will be assigned Scripts only permission during the WWW site 
setup. This directory will store executables, such as scripts. 
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World Wide Web (WWW) Services 


The following is a description of the property dialog boxes used in configuring your WWW 
site server securely: 


Web Site Tab 


See Figure 17. Highlight the web site to be configured in the ISM, then right-click and 
select properties to access this dialog box. 
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Web Site Identification — Specify a Description - the name that will be used in the ISM 
tree view to identify this web site; select the IP address of the network interface card 
(NIC) to serve the site to; a TCP Port and SSL Port (if these are changed from their 
defaults, the administrator must notify users or they will not be able to connect); and 
Advanced options, where multiple domain names or host header names can be mapped 
to a single IP address using the Host Header Name box. More information on this topic 
can be found in the IIS online documentation (Naming Web Sites). 
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Connections — Allows the administrator to limit the number of simultaneous accesses to 
the web site and to set a connection timeout. Timeout settings are recommended to 
assist in preventing a possible denial of service attack. 


Enable Logging — It is recommended that this option be turned on. Once IIS logging is 
enabled, you can configure how and when log files are created and saved. Details on 
logging will be covered in Chapter 4, Auditing. 
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Default Web Site Properties 


Directory Security | HTTP Headers | Custom Enors | Server Extensions | 
Web Site Operators | Performance | ISAPI Filters | Home Directory | Documents | 


~~ Web Site Identification 


Description: [Default Web Site 
IP Address: [ia Unassigned) 7] Advanced... | 
TCP Pott: [20 SSL Part 


Connections 
@ Unlimited 


@ Limited To: 1,000 connections 
Connection Timeout: 600) seconds 


IV HTTP Keep-Alives Enabled 

















‘Iv Enable Logaing 


Active log format: 


Jw3c Extended Log File Format x] Properties... | 














Figure 17 Web Site Identification Property Sheet 


Operators Tab 


38 


Web Site Operators — See Figure 18 


This is where the administrator designates which Windows 2000 Server group/user 
accounts to administer the web site. This should be a group (if server is in a domain) and 
the accounts within the group should not necessarily require Windows 2000 
Administrative permissions. Operators can work only with the properties that affect the 
web site for which they were created. They cannot access the properties that control 
overall IIS setup, the Windows 2000 server operating system that hosts IIS, or the 
network on which the system runs. The following are some functions that can be 
performed by Web Operators. 

Lh NOTE: When selecting members, make sure individuals are 

0 


knowledgeable and trustworthy to minimize compromising 
your system’s security. 





= Manage web content expiration dates and times 
= =Administer web content (modify, add, delete) 

=™ ~=Enable Logging 

™ Change default web documents 


™ Set Web Server access permissions 
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Only members of the Windows 2000 Administrators group can perform the following 
tasks related to IIS: 

™ Change application isolation 

= Create virtual directories or alter their paths 

™ Change the Anonymous Username and Password 


= Alter the identification or configuration of a web site 
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Default Web Site Properties an Prix 


Directory Security | HTTP Headers | Custom Errors | Server Extensions | 
Web Site Operators Performance | ISAPI Filters | Home Directory | Documents | 
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Web Site Operators 


Grant operator privileges on this Web Site only to these Windows User 
Accounts. 






Operators: 





Add... 


Administrators 








Remove 











OK Cancel Apply Help 
_taneel_| ier | 





Figure 18 Operators Tab for Default Web Site Properties 


Home Directory Tab 


See Figure 19 


The Home Directory property dialog box allows the administrator to look at and change 
settings that control web content delivery, access permissions, and Active Server Page 
configuration and debugging. Options that are available on this dialog box will vary based 
on the location of the content. However, all security-related settings can be covered 
under the A directory located on this computer option. 
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Default Web Site Properties ae) 2xi 


Directory Security | HTTP Headers | Custom Errors | Server Extensions | 
Web Site | Operators | Performance | ISAPI Filters Home Directory Documents | 
When connecting to this resource, the content should come from: 
















@ & directory located on this computer 
 & share located on another computer 
© A redirection to a URL 


Local Path: [DN netpub\wwwroot Browse... | 





J Script source access IV Log visits 
IV Read T Index this resource 
T Write 


I Directory browsing 





Application Settings 


Application name: [Defaut Application Remove | 


Starting point: <Default Web Site> - - 
Configuration... | 

Execute Permissions: |’ ~ | 

Application Protection: [Medium (Pooled) 7] Unload | 











Cancel | Apply | Help | 


Figure 19 Web Site Home Directory Default Properties 


Access Permissions 

Permissions set here need to match NTFS permissions. If they do not match, the most 
restrictive of the two will be enforced. Configure directories with appropriate permissions 
for your site(s), as described in the Post Installation section of Chapter 1, i.e., configure 
one directory with Read only permission and one with Script only (described below). 


Content Control 

Script source access — Users can access source files. If Read is selected, then source 
can be read, if Write is selected, then source can be written to. Script source access 
includes the source code for scripts, such as the scripts in an ASP application. This 
option is recommended to remain unchecked. This option is not available if neither Read 
nor Write is selected. This feature is only applicable and necessary when utilizing remote 
authoring, (i.e. WebDAV). 


Directory browsing-— This allows visitors to look at a hypertext listing of the directories 
and files on your system. This is NOT recommended. The issue here is that if no default 
document is sent to the client when the site is accessed, the unknown user will get a 
directory listing of your system instead. This exposes more of your system to unknown 
users. Make sure this option is NOT selected. 


Log visits — It is recommended to enable logging, which is the default. This ensures that 
all visits to this directory are logged into the log file. 


Application Settings 
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An application is the directories and files contained within a directory marked as an 
application starting point. 


Application protection — This option enables the administrator to isolate a web-based 
application by having it run in a memory area that is separate from the web server 
software and/or other applications. It is recommended that this be set to medium or high. 
If set to medium, protection is provided to help preclude applications from inadvertently 
causing problems with the web server software. If set to high, the application will be run 
in a completely separate memory space that will not affect other applications either. 


NOTE: Server-side include (SSI) and Internet Database 
Connector applications cannot be run in a separate memory 
Ce 


space from the web server's memory space. 
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Execute Permissions — These settings control the execution of applications contained 
within the directory. Permissions include: 





™ None - prevents programs or scripts from executing. 


= Scripts — Restricts execution to scripts that have had file extensions previously 
mapped to scripting applications. Make sure the directory with this permission does 
not allow Read access to anonymous users. If Read permission is granted, it is 
possible that users may be able to look at the information contained within the 
scripts, some of which may be sensitive (i.e., passwords). 


= Scripts and Executables — Allows any application to execute, including scripts and 
binaries, such as .exe and .dll files. Use care when granting this permission. This 
permission should only be used for directories that contain binary files that must be 
executed by the web server. If your site requires this permission for a directory, make 
sure it does not have NTFS write permissions allowed for anonymous users to your 
site (WebUsers, for example). Write with Execute permissions would allow a user to 
place executable code (possibly malicious code) on your server. 


Application Configuration 


Applications can be configured in more detail by using the Configuration button. A 
separate dialog box is displayed with the following tab options: App Mappings; App 
Options; Process Options (if High application protection is selected); and App Debugging. 
Information regarding the security of App Mappings is covered in the Script Mappings 
section of Chapter 4. The Script Mapping section also plays a critical role in protecting 
the IIS server from potential compromise. 
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App Options Tab 


These options can be configured at the web site, virtual directory, and directory level. 
See Figure 20: 





Application Configuration ie 2 re Xd 


App Mappings App Options | Process Options | App Debugging | 
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- Application Configuration 


IV Enable session state 


Session timeout: [20 minutes 


IV Enable buffering 





T” Enable parent paths 


Default ASP language: [VBScript 
ASP Script timeout: [g0 seconds 











Cancel | Apply | Help | 


Figure 20 Application Configuration App Options Tab 





Enable session state and Session timeout — Check this option so that Active Server Pages (ASPs) 
create a new session for each user who accesses an ASP application. This lets you identify the user 
across several ASP pages in your application. When the user does not request a page or refresh 
within the session timeout period, the session will be terminated. Set an “ASP Script timeout” value so 
that if a script does not complete execution within the allotted time, an entry will be made into the 
Windows 2000 Server Event Log and execution of the script will stop. Setting timeout values will help 
prevent a denial of service attack. 


It is not recommended that Enable parent paths be selected. This allows ASP scripts to 
use relative paths to the parent directory of the current directory ( ".." syntax ). If the 
parent directory permits Execute access, a script could attempt to run an unauthorized 
program in a parent directory. 
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Process Options Tab 


Enable Write unsuccessful client requests to event log (only available when using high isolation). See 
Figure 21: 
Application Configuration a7 an xi 





App Mappings | App Options Process Options App Debugging | 





Process Configuration 


JV Write unsuccessful client requests to event log 
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JV Enable debug exception catching 


Number of script engines cached: fi 25 


— Script File Cache 
© Do not cache ASP files 


© Cache all requested ASP files 
@ Max ASP files cached: [250 


~ CGI Configurations 




















CGI script timeout; |300 seconds 








Cancel | Apply | Help | 





Figure 21 Application Configuration Process Options Tab 
Documents Tab 


It is recommended that the administrator always provide a default document that all users 
will see when accessing the site(s). This helps prevent displaying the directory structure 
of the site to a user unintentionally. This happens when the Directory browsing option is 


left enabled. See Figure 22: 


Default Web Site Properties 21x 


Web Site | Operators | Performance | ISAPI Filters | Home Directory | 
Documents | Directory Security | HTTP Headers | Custom Errors | 









Default. htm 
Default. asp Add... 


iF EnGve 


i 








-—T~ Enable Document Footer 


—— 


Figure 22 Documents Tab 











Browse, 
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Directory Security Tab 


Security properties can be set at the web site, directory, virtual directory, or file level. 
Directory level will be used here to describe the settings, but apply to whichever level you 
are working with. See Figure 23: 











Default Web Site Properties 


Web Site | Operators | Performance | ISAPI Filters | Home Directory | Documents | 
Directory Security HTTPHeaders | CustomErors | ServerExtensions | 





Anonymous access and authentication control 
) : Enable anonymous access and edit the 


authentication methods for this resource. Edit... | 


—IP address and domain name restrictions 








a Grant or deny access to this resource using 


IP addresses or internet domain names. 








> Secure communications 


Require secure communications and 5 Cettificat 
9 enable client cettificates when this oct Let st 


fesource is accessed. 






View Certificate... 











OK | Cancel | Apply | Help | 


Figure 23 Directory Security Tab 
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Anonymous access and Authenticated access — The options presented on this 














dv Anonymous access 


No user name/password required to access this resource. 


Account used for anonymous access: Edit... 


Authenticated access 


For the following authentication methods, user name and password are 
required when 

- anonymous access is disabled, or 

- access is restricted using NTFS access control lists 
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[ Basic authentication (password is sent in clear text) 


Select a default domain: Edit | 


Tl Digest authentication for Windows domain servers 


IV Integrated Windows authentication 


OK Cancel | Help 


Figure 24 Authentication Methods Dialog Box 














IP Address and Domain Name Restrictions - This option allows the administrator to 
specify who can access your WWW site based on IP address. There are two options on 
this property dialog box, Granted Access and Denied Access. Granted Access allows all 
computers access to your resources except those specifically identified by IP address. 
Denied Access restricts access to resources to ONLY computers with IP addresses 
specifically listed, requests from any other computers are denied. Three options are 
available when specifying computer IP addresses: single computer, where administrator 
specifies a single IP address; Group of computers, where administrator specifies the 
network ID and subnet mask; or Domain name (a warning message appears stating this 
option will cause a significant degradation in performance, due to the need to perform a 
DNS reverse lookup on each connection request). See Figure 25: 
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By default, all computers will be: of @ Granted Access 
Except those listed below: 3) Denied Access 


IP Address (Mask]/Domain Name 





Add... 


xe) 
c 
(40) 
c 
| © 
2 
oc © 
a — 

(4) 
85 
ot 

7) 
Om.) 
no) 
> 
= 
or) 
ep) 


rNXofaatiarcsviacua(ela 


Remove 














Figure 25 IP Address and Domain Name Restrictions 


Secure Communications — This option is used to configure SSL features available on 
the web server. This enables the encryption of all traffic between the client and server. 
Once set up, visitors to your web site must use a browser capable of supporting secure 
communications. Further detail on this topic can be found in Chapter 4. 


Server Extensions Tab 


IIS 5.0 allows remote authoring. For every applicable web site on the IIS server, it is our 
strong recommendation that the enable authoring option be disabled. This feature would 
allow the FrontPage product to make changes to a web page and upload the new page to 
the server. See Figure 26: 
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Default Web Site Properties a ie: 2| x 





Web Site | Operators | Performance | ISAPI Filters | Home Directory | Documents | 
Directory Security | HTTP Headers | Custom Errors Server Extensions 


T~ Enable authoring 


Version control None v | 


Performance 








Use custom settings 





Client scripting 





Options 
Specify how mail should be sent 





UOI}eu|SIUIIPY 


Configure Office Collaboration features Aaminister 





ep) 
i.) 
@ 
<. 
re) 
i) 
7) 
=] 
a 
a 
—s 
o 
=a 
fe) 
=) 
i) 
=| 
jo 


[Don't Inherit Security Sett ngs 
J” | Lea authoring actions 
J” Man 
[| Require SSL for authoring 





emissions manually 





(version 4.0.2.3406) 






Cancel | Apply | Help | 


Figure 26 Server Extensions Tab 


Version control — Allows the administrator to keep track of who is modifying web 
content, identifying any changes, and prevent one authors changes from erasing 
another's. If authoring is enabled, version control should be enabled as well. 


Don’t inherit security settings — The ability is given to inherit or not inherit the security 
settings of the global master properties (identified in Chapter 2). Although these options 
are selected on the master property sheet, in the event that authoring is enabled, it is 
recommended to explicitly set them again. 


File Transfer Protocol (FTP) 


FTP allows clients to transfer files to and/or from an FTP server. Although much of the 
FTP functionality on the Internet is being replaced by the WWW service, FTP is still in 
common use. It is recommended to configure the FTP server so that uploading of files to 
the server is prohibited. If uploads need to be allowed to come into the server, create a 
separate directory (a “drop box”) called \INCOMING to receive these files. Also, monitor 
this directory regularly as part of your security policy. 


Organizing FTP Directories 
It is recommended that FTP directories be organized for the users. For FTP downloads, 


the directory names should reflect directory contents. For example, device drivers could 
be organized within directories with operating system names. Make sure FTP download 
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directories are configured for Read ONLY permission. Create a “drop box” directory for 
temporary storage of files written to the FTP server. Files written to this directory should 
be examined for suitability and security risk then placed in the directory for downloading 
by others. Access to the “drop box” is limited to the Write permission for the anonymous 
user's account. Conversely, the FTP directory configured for user downloads is set to 
Read ONLY. This may be a little inconvenient because the anonymous users will not be 
able to look at files uploaded by others, but it will prevent them from altering or deleting 
those files. This will also prevent unauthorized users from using your site to store illegal 
software, pornography and hacking tools. A web site administrator should review files 
uploaded to the drop box and place them in the Read ONLY directory for downloading by 
others. 


FTP Site Tab 
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Contains the same properties as the Web Site tab, but apply specifically to your FTP 
service. The administrator can set the FTP site identification information, control the 
number of connections, and set a connection timeout. It is recommended that the Enable 
Logging option be selected and assigned a connection timeout value to allow better 
control potential of DoS attacks and server resource consumption. See Figure 27: 


Default FTP Site Properties a 21 xi 





FTP Site Security Accounts | Messages | Home Directory | Directory Security | 














Identification 
Description: Default FTP Site 
IP Address: (All Unassigned) v 
TCP Pott: ja 
- Connection 
™ Unlimited 


(© Limited To: 500 connections 
Connection Timeout: 600 seconds 


-¥ Enable Logging 








Active log format: 


fwac Extended Log File Format 7] Properties... | 
Current Sessions... | 











Cancel | Apply Help | 


Figure 27 FTP Site Tab 
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Security Accounts Tab 


This tab is used to configure anonymous FTP access and FTP site operators. It is 
recommended that the Allow only anonymous connections box be checked to restrict 
access to ONLY anonymous connections. When this box is checked, users cannot log on 
with real usernames and passwords, which are sent in the clear, preventing a possible 
attack using the administrators account or another privileged account. Please note that 
even with this option checked there is nothing to prevent a user from attempting to log on 
with user name/password — this needs to be carefully factored into a decision to stand up 
a FTP server. A user in the habit of entering a user name/password combination will 
probably do so at the FTP prompt. Even though the connection attempt will be rejected, 
the damage has already occurred as the password was sent in the clear. When users 
log on anonymously they typically use their e-mail address as their password. The FTP 
server then uses the IUSR_computername account as the logon account for permissions. 
Integrated windows authentication is not available for the FTP service. The lower portion 
of the property dialog box is used to designate which user accounts will be administered 
to the FTP site. It is recommended that user accounts be used, since IIS 5.0 does not 
allow the inclusion of created local groups (unless it belongs to a domain, then the 
administrator can include domain local/global/universal groups). See Figure 28: 
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Default FTP Site Properties i ie at 2| xi 





FTP Site Security Accounts Messages | Home Directory | Directory Security | 





Jv Allow Anonymous Connections 


Select the Windows User Account to use for anonymous access to this resource 


Username: [lUSR_IS5-SERVER Browse... 
Password : 


JV Allow only anonymous connections 


IV Allow IIS to control password 








FTP Site Operators 
Grant operator privileges to Windows User Accounts for this FTP site only. 






Operators: 





Administrators Add... 






Remove 











Cancel | Apply | Help | 


Figure 28 FTP- Security Accounts Tab 





Select the Allow IIS to control password option to match the anonymous FTP logon 
user name and password (typically |USR_computername) with the account created in the 
users section of the Computer Management Snap-in. If |USR_computername is not the 
anonymous user account, make sure the anonymous user account defined is an account 
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UNCL/ 


on the local computer. This will help ensure that the web server is available if the domain 
controller is inaccessible and the anonymous account is a domain account. 


Messages Tab 


There are three types of messages that can be displayed to the user; Welcome, Exit, and 
Maximum Connections. It is recommended that a Welcome message in the form of a 
Security Banner be displayed to any user connecting to your FTP server. Exit messages 
can be used to display notices to users upon connection termination. In the event the 
maximum number of connections has been reached, the Maximum Connections 
message can be used to notify the user of this event. See Figure 29: 


Default FTP Site Properties ee) 21 xi 


FTP Site | Security Accounts Messages | Home Directory | Directory Security | 
FTP Site Messages 













Welcome: 





"PLACE YOUR WARNING MESSAGE HERE" 


Exit: 
"PLACE YOUR EXIT MESSAGE HERE" 


Maximum Connections: 


[Maximum number of connections has been reached, please try again later. 











Cancel | Apply | Help | 


Figure 29 FTP - Messages Tab 


Home Directory Tab 
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This is used to specify where the content comes from (either from a directory located on 
this computer or from a network share located on another computer, URL redirections 
cannot be specified). The local path to the directory, access permissions, and the style of 
the directory listings that IIS sends to the client can also be configured. 


It is recommended that this directory have Read access ONLY. If your site requires users 
to upload data, create two directories beneath the “ftproot” directory. One with Read 
ONLY access to store data made available to all users for download, and one with Write 
Only permission to be used as a “drop box” for users to upload data into. A web operator 
could then be responsible for reviewing the data in the “drop box” prior to making it 
available to all users in the Read ONLY directory. See Figure 30: 
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When connecting to this resource, the content should come from: (0) 
(* a directory located on this computer =s 
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FTP Site Directory 3 7) 
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Directory Listing Style = 
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Cancel | Apply | Help | 





Figure 30 FTP - Home Directory Tab 


Directory Security Tab 


This tab (See Figure 31) will allow specification of who can access your FTP site based 
on IP address. There are two options on this tab, Granted Access and Denied Access. 
Granted Access allows all computers access to your resources except those specifically 
identified by IP address. Denied Access allows ONLY those computers with listed IP 
addresses access to your resources and denies all other requests. Three options are 
available when specifying computer IP addresses: single computer; group of computers 
(where the network ID and subnet mask is specified); or Domain Name (be careful when 
choosing this option, a warning message appears stating this option will cause a 
significant degradation in performance, due to the need to perform a DNS reverse lookup 
on each connection request). 


If there is a defined set of users that will be permitted to access the ftp directory, it is 


recommended to select Denied Access. This will permit only specified computers access 
to the data within the ftp directory and deny access to all others. 
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By default, all computers will be: Gf (@ Granted Access 


Except those listed below: ns) © Denied Access | 


IP Address (Subnet Mask] 


rNXofaatiarcsviacua(ela 


xe) 
Cc 
o 
Cc 
ae) 
= 
& 
@ 
BY 
2) 
i= 
ip) 
a 
<2 
> 
— 
o 
op) 

















Cancel | Apply | Help | 


Figure 31 FTP - Directory Security Tab 


Simple Mail Transfer Protocol (SMTP) 


IIS 5.0 includes an SMTP mail service used to transfer Internet messages between 
servers. The SMTP service does not provide a POP server and is not intended for use by 
end-user programs (i.e., Netscape Mail or Outlook Express). This service is fully 
compatible with most SMTP servers and clients. This service is intended for use with 
building Internet applications that utilize SMTP. This allows, for example, the server to 
send a confirmation e-mail message to a customer who submits a registration form. A 
web server can also receive messages. This is useful in the event a mail message sent 
by the server could not be sent. The web server could receive a non-delivery receipt 
notifying a web administrator of the status of the message. A web administrator could 
also setup a mailbox to collect customer feedback messages regarding a web site. 
Because of this, the web server listens on the standard SMTP port (tcp 25), which makes 
it vulnerable to attack. Shown below are dialog boxes available for configuring SMTP 
properties. Access the dialog boxes by highlighting the SMTP site on the Internet Service 
Manager and selecting properties on the Action pull down menu. 


General Tab 
This tab (See Figure 32) gives the administrator the ability to control several options of 


the general SMTP server. Ensure Enable Logging is checked and configure the logging 
properties as you would the services discussed previously. 
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Default SMTP ¥irtual Server Properties Pee zi xi 


General | Access | Messages | Delivery | LDAP Routing | Security | 


Default SMTP Virtual Server 





Name: [Detaut SMTP Virtual Server 
IP address: [ {All Unassigned) >] Advanced... | 


Connection 


Configure the connection information used by this Rangrerey | 
resource. = 
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Iv Enable logging 
Active log format: 


fwac Extended Log File Format aa Properties... | 














Cancel | Apply | Help | 


Figure 32 SMTP - General Tab 





Access Tab 


To access the Authentication dialog box, simply click on the Authentication button. The 
authentication options are similar to those mentioned in the other services (See Figure 
33). An explanation of each follows. Depending on the use of the server different 
recommendations would be necessary, thus a single recommendation is not presented. 


Anonymous access — Defined earlier in this chapter. 
Basic authentication — Defined earlier in this chapter. 


Requires TLS encryption — Selecting this option will encrypt the incoming messages to 
the server using Transport Layer Security. 


Default domain — To use Basic authentication a default domain will be appended to the 
username supplied. This section gives you the ability to assign the default domain. 


Windows security package — When using a mail client that supports this authentication 
method, such as Microsoft Outlook Express (IE 5.0), the authentication is done in a more 
secure manner. The Windows security package uses a cryptographic technique that does 
not transmit the actual passwords across the network. 
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Authentication 


Select acceptable authentication methods for this resouce. 
IV Anonymous access 

No user name or password required. 
JV Basic authentication 


The password will be sent over the network in clear text using standard 
commands. 
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The client and server negotiate the Windows Security Support Provider 
Interface. 





Cancel | Help | 


Figure 33 SMTP - Authentication Dialog Box 





Microsoft SMTP Service supports the use of Transport Layer Security (TLS) for 
encrypting transmissions. The use of TLS can be required for all incoming connections 
through the Secure Communication section of the Access Tab. To use TLS for the server, 
key pairs must be created and key certificates must be configured. Select the Certificate 
button, which will allows the creation of a certificate request to send to a CA. Once the 
certificate is received, the administrator can require encryption by clicking on the 
Communication button of the Secure Communication section of the Access Tab. If the TLS 
encryption will be used select the Require 128-bit encryption option shown below (See 
Figure 34). This will maximize the protection of the data between the web clients and the 
server from unauthorized view and modification. 


Once a valid key certificate is installed, you can require that access take 
place on a secure channel. 





JV Require secure channel 


Access can also be limited by the strength of the encryption. Select 
this option only if 128-bit encryption is supported on this computer. 


IV Require 128-bit encryption 





Cancel | Help | 





Figure 34 Security Dialog Box for SMTP 
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The Connection dialog box can be accessed by clicking on the connection button on the 
Access Tab from the SMTP Virtual Server Properties sheet. The connection box works 
the same as the domain blocking from the WWW and FTP services. If this machine will 
be an Internet server, then select All except the list below. If the server will only be 
accessed from computers within your network domain, select Only the list below and add 
your network class domain to the allowed list. See Figure 35: 


Select which computers may access this virtual server: 
(© Only the list below 
All except the list below 


Computers: 






Access IP Address (Mask) / Domain Name 
@ Granted 192.168.100.1 








Add... Remove 





OK Cancel Help | 





Figure 35 Connection Dialog Box for SMTP 


The Relay button on the Access Tab for SMTP Virtual Server Properties provides the 
capability to restrict which computers can drop off messages for relay to other SMTP 
servers. Configuring this option is similar in concept to configuring the IP Address and 
Domain Name Restrictions property. Select either Only the list below to allow only 
specifically defined computers to relay through this service, or All except the list below to 
allow all computers to relay requests. Be careful when configuring this option. Accepting 
a request to relay could possibly allow spammers to forward mail through your server and 
have it appear as though that is where it originated. It is recommended that you select 
Only the list below and not allow any exceptions. If the administrator chooses to allow the 
server to become a Mail Relay, only allow authenticated computers by selecting the 
option Allow all computers which successfully authenticates to relay, regardless of the list 
above. Authentication is accomplished through Integrated Windows authentication or 
Basic authentication set on the SMTP mail directory. See Figure 36. 
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Relay Restrictions a a xi} 
Select which computer may relay through this virtual server: 
@ Only the list below 


© Allexcept the list below 
Computers: 





Access IP Address [Mask] # Domain Name 





J Allow all computers which successfully authenticate to relay, regardless 
of the list above. 





Cancel | Help | 





Figure 36 Relay Restrictions for SMTP 


To set authentication for outgoing mail, click the Outbound Security button on the 
Delivery Tab located on the SMTP Virtual Server Property sheet. For outgoing mail, the 
administrator can specify what authentication method will be required by the receiving 
SMTP server and whether or not to use TLS encryption. Of course the 
authentication/encryption choices must be compatible with the server at the other end of 
the connection, which makes setting any security on outbound messages impractical if 
the server is sending messages to a heterogeneous environment such as the Internet. 
The specific options available on dialog box have been explained earlier in this chapter. 


Particularly if operating over an Intranet and if your server is sending any type of sensitive 
information, it is recommended to use at least minimum security such as Basic 
authentication with TLS encryption. See Figure 37: 
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Security Tab 
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Outbound Security 3 he xi 


(@ Anonymous access 


No user name or password required. 


© Basic authentication 


The password will be sent over the network in clear text using standard 
commands. 


User name: Browse 
Password 


© Windows security package 


The client and server negotiate the Windows Security Support Provider 
Interface. 


Account Modify, 
Password 


J” TLS encryption 








OK Cancel | 





Figure 37 Outbound Security Dialog Box for SMTP 


The Security tab allows the definition of a user or group responsible for managing this 
service. Unlike the WWW and FTP services, there is the ability to create local groups to 
manage user accounts. This local group can be included as an operator for the SMTP 
server and is the recommended method. Note: If utilizing a domain and domain groups 
do not utilize local groups here for ease of administration. See Figure 38: 
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Default SMTP ¥irtual Server Properties 2) xi 





General | Access | Messages | Delivery | LDAP Routing Security 


Grant operator permissions to these Windows user accounts. 


Operators: 


S&B SMTPAdmins 


OK | Cancel | Apply | Help | 


Figure 38 SMTP - Security Tab 





Network News Transfer Protocol (NNTP) 
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IIS 5.0 includes an NNTP news service used to host USENET-style discussion groups on 
an intranet/extranet. It supports multiple authentication methods, IP/domain blocking and 
news feed downloads. Shown below are dialog boxes available for configuring NNTP 
properties. Access the dialog boxes by highlighting the NNTP site on the Internet Service 
Manager and selecting properties on the Action pull down menu. 


General Tab - Make sure Enable logging is selected. See Figure 39: 
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Default NNTP ¥irtual Server Properties 





General | Access | Settings | Security | 


ey Default NNTP Virtual Server 


Name: [Detaut NNTP Virtual Server 
IP address: [ai Unassigned) 7] Advanced... | 


Connection 


Configure the connection information used by this Tepsceiey | 
fesource. = 


Vv Enable logging 
Active log format: 


W3C Extended Log File Format Properties... | 
Path header: 


























Cancel | Apply | Help | 


Figure 39 NNTP - General Tab 





Authentication Methods dialog box — See Figure 40. This box can be reached by 
clicking the Authentication button on the Access Tab from the NNTP Virtual Server 
Property Sheet. This sheet gives the ability to choose the authentication method to use 
for clients connecting to your news server. Due to the nature of news messages and the 
ability to post messages using falsified information, it is highly recommended that the box 
for Allow anonymous be cleared if the news server is outside the security perimeter (i.e. 
firewall). This is often an overlooked feature and causes a company to allow the whole 
world to use their news server to post messages (including vulgar, explicit material and 
also pirated software). If the news service is being allowed for only internal users, put the 
server inside the security perimeter (i.e., firewall, border router) and then select the option 
for authentication that is compatible with all the clients that you use. If the administrator 
has the ability to obtain a server certificate, SSL would be an excellent choice, this way 
there is less dependence on the client platform. 


By using authentication other than anonymous, there is better granularity over the 
material that different users or groups of users can see. This allows easier administration 
and the ability to customize discussion groups for specific departments and or special 
project groups. 
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Authentication Methods Xi 


Select one or more Authentication Methods for this resource: 


J Allow anonymous 


No username or password required to access this resource 


Anonymous... | 


IV Basic authentication (Password is sent in clear text) 


Username and password required when: 
* Allow Anonymous is disabled 
* Access is restricted using NTFS Access Control Lists 
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IV Windows security package 


Username and password required when: 
* Allow anonymous is disabled 
* Access is restricted using NTFS Access Control Lists 





J Enable SSL client authentication (requires server certificate) 
J Require SSL client authentication 


[| Enable client certificate mapping to Windows user accounts 








Secure sockets layer 30 \client certificate requiredite access thr 
resource, (lent mappings maps client certificates to Windows user 
accounts 

Glient Mappinas 








Figure 40 NNTP Authentication Methods 


The Connection dialog box (See Figure 41) can be accessed by clicking on the 
connection button on the Access Tab from the NNTP Virtual Server Properties sheet. The 
connection box works the same as the domain blocking from the SMTP, WWW and FTP 
services. If this machine will be an Internet server, select All except the list below. If the 
machine will be used by computers within your network domain, select Only the list below 
and add your network class domain to the allowed list. 


Connection 





Select which computers may access this virtual server: 
Only the list below 


 Allexcept the list below 


Computers: 






Access IP Address [Mask] # Domain Name 


@ Bene 192.168.0.0 (255.255.0.0) 









Remove 
OK Cancel | Help | 








Figure 41 NNTP - Connection (domain blocking) 
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Settings Tab 


On the Settings tab (See Figure 42) there are several customizable features for size of 
messages, who is allowed to post, server pulling, and SMTP server and moderator 
information. There will be two aspects of this screen discussed. 


The Allow servers to pull news articles from this server is an important option, especially if 
the machine will be located outside the security perimeter. It is recommended that this 
option be cleared. This will stop messages posted to the server from being propagated 
throughout the world’s NNTP servers. This is especially true if it is used for internal 
messaging. If users and news feeders will not be allowed to delete news groups or 
messages, it is recommended to clear the Allow control messages check box. Malicious 
users have been known to use control messages to create problems with mis-configured 
or unpatched news servers. 
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Default NNTP ¥irtual Server Properties a 21x! 





General| Access Settings | Security | 


IV Allow client posting 


JV Limit post size (KB): fico 
JV Limit connection size (MB): [oll 
IV Allow feed posting 

IV Limit post size (KB): fisco 
JV Limit connection size (MB): [a0 4 


T Allow servers to pull news articles from this server 
IV Allow control messages 


SMTP server for moderated groups: 


Default moderator domain: 


Administrator Email account: 
Admin@Corp.com 


Cancel | Apply | Help | 


Figure 42 NNTP - Settings Tab 
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Security Tab 


The Security tab (See Figure 43) allows the definition of a user or group responsible for 
managing this service. Unlike the WWW and FTP services, there is the ability to create 
local groups to manage user accounts. This local group can be included as an operator 
for the NNTP server and is the recommended method. Note: If utilizing a domain and 
domain groups do not utilize local groups here for ease of administration. 





Default NNTP ¥irtual Server Properties 21x 
General | Access | Settings Security | 
Grant operator permissions to these Windows user accounts. 


Operators: 


Ee NNTPAdmins 


OK | Cancel | Apply | Help | 


Figure 43 NNTP - Security Tab 
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Recommendation Checklist for Chapter 3: 


WWW Properties 


OQ Remove IUSR_computername logon as a batch job and access this computer from the 
network user rights, (if required, implement workaround) 


Identify need for SSL 


Q Identify IP address/groups or Internet domains for restrictions, if any 





Organize directory structure for file types (html, ASP, scripts, executables) 


o Set NTFS permission for the WebUsers group. Use this group for all 
permissions with NTFS 


Web Site Tab 
OQ Ensure Enable logging is selected 


Operators Tab 





Q Include local accounts of persons to administer site(s), or domain groups 
Home Directory Tab 
Q Html, ASP have READ access 
Scripts, executables have Script or Scripts and executables access only, NOT READ 
Disable (uncheck) Directory browsing option 
Disable (uncheck) Script source access option 


Ensure Log visits is selected 


O O O O O 


Ensure None is selected for the Execute Permissions drop down box 
App Options tab (from configuration button) 

QO Enable session state and timeout 

Q Set session timeout period 

QO Disable (uncheck) Enable parent paths 


Process Options Tab (If using application protection in high {Isolated} mode) 





O Enable Write unsuccessful clients requests to event log 
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Documents Tab 
Q Provide a default document for all web sites 
Directory Security Tab 


QO If using Basic authentication: Implement SSL 





O If any site hosted by this server will NOT allow Anonymous access, Disable 
(uncheck) Anonymous access, under Authentication methods and select appropriate 
authentication method 
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Q Set any IP/Domain name restrictions that will be utilized to protect the site(s) 


Server Extensions Tab 





QO Disable (uncheck) enable authoring on web site(s) 





If authoring is permitted 
o Select Don’t inherit security settings 


o Enable Log authoring actions, Require SSL for authoring and Manage 
permission manually 


FTP Properties 
Q Configure so uploading is prohibited 
Q Organized directory structure for users 


Q Assign all NTFS permission for the FTPUsers group 





Q All download directories are read only 
If upload is necessary 
o Create DROPBOxX directory and give write permissions only 
FTP Site Tab 
Q Set appropriate number of connections for max users on FTP server 
Q Set maximum seconds for timeout (inactivity), 600 seconds is reasonable 
O Ensure Enable logging is selected 
Security Accounts Tab 


OQ Ensure Allow Anonymous Connections is selected 





QO Select Allow only anonymous connections 
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Messages Tab 
Q Put in Warning banner for welcome message 


Home Directory Tab 





O Ensure Log visits is selected 
Q Ensure read only permissions for the ftproot directory (IIS permissions) 
Directory Security Tab 


Q Define the set of IP/domain name restrictions for the FTP site(s) 
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SMTP Properties 
General Tab 
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Q Ensure enable logging is selected 
Access Tab 
Authentication 
o Enable the required authentication method 
lf TLS is selected 
Communications 
o Select Require secure channel 
o Select Require 128-bit encryption 
Connection 


o Define the set of IP/domain name restriction for the SMTP server if required 


Relay 
o Select Only the list below 
o Deselect Allow all computers which successfully authenticate to relay, 
regardless of the list above 
Delivery Tab 


Outbound Security 


o Set appropriate authentication, use at least Basic authentication, include TLS 
encryption (requires certificates) if possible 
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Security Tab 
Q Add the SMTPAdmins group for Operator privileges 


NNTP Properties 
General Tab 


Q Ensure Enable logging is selected 


Access Tab 
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Authentication 


If being used outside of a security perimeter (i.e. firewall) 





o Disable Allow Anonymous 


Q Use of SSL is recommended, especially with Basic authentication (requires 
certificates) 


Connection 
o Select Only the list below and add your network domain 
Settings Tab 
Q Disable (uncheck) Allow servers to pull news articles from this server 
Q Disable (uncheck) Allow control messages 


Security Tab 





Q Add the NNTPAdmins group for Operator privileges 
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Additional Security Services 


This chapter describes; how to configure auditing in IIS 5.0, a brief description of the 
installation, use of Certificates and touches on a couple of final security issues. 
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In addition to the audit settings described in the Windows 2000 Security Guide, IIS 
logging should be enabled to enhance security auditing of the IIS environment. IIS 
logging tracks IIS-specific events related to HTTP/FTP/SMTP traffic in and out of the 
server. NNTP only offers general logging, not additional extended logging like the others. 
Included in the log is IP address information that is not available through Windows 2000 
logging and auditing mechanisms. Actively reviewing and correlating IIS logs can identify 
the following suspicious activity: 


= = Multiple failed commands 
= Attempts to upload files to directories configured for executable content 
= Attempts to access non published .bat or .cmd files and subvert their purpose 


= Attempts to send .bat or .cmd commands to directories configured for executable 
content 


™ Excessive requests from a single IP address, attempting to cause a denial of service 
attack 


IIS logging is configured through the Services properties dialog boxes — See Figure 44 
(WWW, FTP, SMTP and NNTP) by selecting the Properties button. 
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Default Web Site Properties t EF i 2) xi 


Directory Security | HTTP Headers | Custom Errors | Server Extensions | 
Web Site | Operators | Performance | ISAPI Filters | Home Directory | Documents | 





Web Site Identification 


Description: [Default Web Site 








| 
a IP Address: (All Unassigned) | Advanced... | 
oO cc I. 
roa TCP Port: [20 SSL Part 
on - Connections 
1°) © Unlimited 


© Limited To: 1.000 connections 
Connection Timeout: 600) seconds 


IV HTTP Keep-Alives Enabled 
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-—I¥ Enable Logging 


Active log format: 


fwac Extended Log File Format 7] Properties... | 











Cancel | Apply | Help | 


Figure 44 IIS Logging Configuration Example 





Below are some suggestions for configuring auditing as it pertains to IIS data: 


™ Move and rename the IIS Log Files directory. This can increase the difficulty 
unauthorized users experience while trying to cover their tracks. 


= Full Control access to the IIS Log Files directory should be limited to SYSTEM and 
Administrators ONLY (or whichever group is created to manage auditing on your 
system). No other accounts should be given access. 


= Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, 
Delete, Change Permissions, and Take Ownership are critical events for WWW 
content directories. They should be audited for success and failure in the Windows 
2000 audit facility. 


Extended Logging Properties -— (See Figure 45) The following configuration is 
recommended including the items in your IIS 5 logs. 
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Extended Logging Properties 


General Properties | Extended Properties | 





> New Log Time Period 
™ Hourly 

@ Daily 

C Weekly 
Monthly 
Unlimited file size 

© When file size reaches: 


13 = MB 











[- Use local time for file naming and rollover 


Log file directory: 


[wind ir%\System32\LogFiles Browse... | 


Log file name: = W3SYC1\exyymmdd.log 


Cancel | Apply | Help | 

























Extended Logging Properties 


General Properties Extended Properties | 





;- Extended Logging Options 




















¥) Time [time } 

Extended Properties 

Client IP Address [ c-ip } 

¥) User Name [ cs-username | 
Service Name [ s-sitename } 
Server Name [ s-computername | 
¥) Server IP Address [ s-ip } 

¥) Server Port [ s-port ] 

¥) Method [ cs-method | 

| URI Stem [ cs-uri-stem } 
v 
v 








4 


















































URI Query [ cs-uri-query } 
Protocol Status [ sc-status ] 
Win32 Status [ sc-win32-status ] >| 


mms wm ae tony 


Cancel | Apply | Help | 



































Figure 45 General and Extended Properties 
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= Date and Time event occurred 
m= IP Address of the client 


= Username (this is likely to be IUSR_machinename) accessing your site — this is very 
useful because this data does not appear in the NT log files 


™ HTTP method used to access your site 


= URI Stem - the resource accessed by the client (HTML page, script, or ISAPI 
application) 


= URI Query - the query the client was making 
= Status of the request 
= Time taken to process the request 


=™ URL of the last site visited by the client 


Certificates 


A more detailed description of how certificates and certificate authorities are implemented 
is available in a separate document entitled Guide to the Secure Configuration and 
Administration of Microsoft Windows 2000 Certificate Services and available via the 
same media in which this guide was delivered. The book entitled Administering IIS 5.0 by 
Tulloch, M., Santry, P. gives a good description of how to implement the use of a 
certificate manager within your IIS environment. The following section provides a brief 
description. 


If the system requires the use of SSL for secure communications between your clients 
and server, a server certificate must be installed and the client must have a browser that 
can support secure communications. Authentication, confidentiality, and data integrity 
can all be obtained with the use of digital certificates and SSL. A certificate is created by 
a certificate authority (CA). It is made up of a public key for cryptographic use, a validity 
interval, serial number, name, and certificate class. 


The Certificate wizard is the tool used to manage certificates in the IIS 5.0 environment. 
The Certificate wizard can also be used to export and backup your IIS server 
certificate(s). It is used to configure background information that will be needed to apply 
for a digital certificate and create the required files. The Certificate wizard can be 
accessed through the Secure Communications Server Certificate button of the Directory 
Security Tab of the Server and Web Site Properties dialog boxes. 


The following tasks are performed through the Certificate wizard, different options are 
available depending on if you have an existing certificate or not: 


= Create a new certificate 

= Assign an existing certificate 

= =Import a certificate from a Key Manager backup file 
= Renew the current certificate 


= Remove the current certificate 
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= Replace the current certificate 


Once the site has been configured to use certificates, activate the SSL security on the 
server using the ISM for the site that requires secure access. See Figure 46: 





Secure Communications 
¥ Require secure channel (SSL) 





Tl Require 128-bit encryption 








Client certificates 
@ Ignore client cettificates 


© Accept client cettificates 
© Require client certificates 





[Enable client certificate mapping 


Client certificates can be mapped to Windows user 

accounts. This allows access control to resources 

using client certificates. Edi | 

[” Enable certificate trust list 

Current ETL | 
Nev | Edit | 














OK Cancel | Help 





Figure 46 Configuring Site to Require SSL 


Web site developers can use scripts and client side certificates to control access to the 
site. IIS supports the mapping of client certificates to specific Windows 2000 user 
accounts. This allows more control over published content on the web. Organizations can 
authenticate users who logon with a client certificate by creating mappings that relate 
information contained in the certificate to a Windows 2000 user account. Using the IIS 
certificate-mapping feature, administrators can either map a specific user’s client 
certificate to an account (a one-to-one mapping — See Figure 47) or map multiple 
certificates to a single Windows 2000 user account (a one-to-many mapping — See 
Figure 48). IIS also supports wildcard mapping. To map multiple certificates to a single 
Windows 2000 user account, administrators define wildcard-matching rules that create a 
mapping by verifying whether a certificate contains certain items of information. For 
example, an administrator could define a matching rule that automatically maps any 
certificate issued by a particular organization to a user account, rather than creating a 
separate mapping for each client certificate. 
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Account Mappings xi 


1-to-1 | Many-to-1 | 


Edit “one to one" mappings. Each individual certificate is mapped into a specific Windows account. You can choose to 
map multiple certificates into the same account, but a separate mapping entry must exist for each. 


: ~ Subject 
|__| MappingName | Windows Account NSA 


C43 

Bill Walker 
us 
Maryland 
Linthicum 








apping 
7 [Sea S5\ranger 








;lssuer 
NSA 


C43 
US 











Edit Map... | Add... Delete | 


OK | Cancel | Apply | Help | 


Figure 47 1-to-1 Account Mapping Dialog Boxes 





Account Mappings inf x! 


1-to-1  Many-to-1 | 


When a client certificate is presented, these matching rules will be examined in the order in which they appear below. 
Upon the first match, the user will be logged into the associated Windows user account. 


IV Enable Wildcard Client Certificate Matching 





|_| Rule Description | Mapped Windows Account 


*~ Map all Users to Anonymous account IIS5-SERVERNMUSF_IIS5S-SERVER 


Move Up | 
Move Down | 


Edit Rule | Add... Delete 





Cancel | Apply | Help | 


Figure 48 Many-to-1 Account Mapping Dialog Box 
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To utilize account mapping the following must occur: 


= ©The web server must have a certificate and utilize SSL (see below for more 
information) 


= §=6The client must have a certificate (submit a request with the same procedure as the 
server) 


= Both of these certificates must be installed properly (refer to the Guide to the Secure 
Configuration and Administration of Microsoft Windows 2000 Certificate Services) 


= <Acopy of the clients certificate must be located on the web server (export clients 
.cer certificate and place on web server) 


= Mapping must be added as necessary 


To add a one-to-one mapping: Open the properties dialog box for the appropriate web 
site, click the Directory Security Tab, click edit under the Secure communications section, 
Enable client certificate mapping by selecting that option and click edit in that window. In 
the 1-to-1 dialog box (See Figure 47), click Add, browse to the clients certificate file that 
was brought over to the web server, create a Map Name, identify the account to 
associate with that user and identify the already existing password for that account, click 
OK. To create a many-to-1 mapping the steps are similar to those for a 1-to-1 mapping 
(See Figure 48). 


Server certificates will be obtained in accordance with your organization’s security 
policies. For example, in the Department of Defense, the DoD Public Key Infrastructure 
will supply server certificates. Given the diverse nature of the audience for this document, 
the exact procedures for obtaining a server certificate cannot be specified. However, the 
following is an illustrative example of how IIS interacts with Microsoft Certificate Server 
2000 to obtain a certificate. 


EXAMPLE: The Certificate Services setup program available on the Windows 2000 
Server and Advanced Server CDs installs the Certificate Server files and the web-based 
administration tools. Certificate Server runs as a Windows 2000 service and is configured 
by default to run automatically under the System account when the Windows 2000 Server 
system boots. A few steps need to be taken to allow your server to perform client 
authentication and for clients to perform server authentication. 


= Certify the server — The process of becoming certified takes place between your 
server and a CA. 


= Client certificate enrollment — A client submits a request to the server for a certificate 
and then installs it in the client application. 


These steps are accomplished by using the Certificate Server Certificate Enrollment 
Tools dialog box. Open the Certificate Server Certificate Enrollment Tools dialog box by 
opening Internet Explorer on C: \WINNT\System32\CertSrv\ (or the appropriate URL 
if accessing a certificate server over the network). It is a Web-based enrollment control 
used to perform the tasks listed. See Figure 49: 
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4 Microsoft Certificate Services - Microsoft Internet Explorer ee 
| File Edit ‘Yiew Favorites Tools Help Ki 
| Back ~ => + i] tat | Qsearch (Favorites ¢4History | Ey & 


| Address je) http: /localhost/certsrv/ >| @Go {Links = 


Microsoft Certificate Services -- TheBomb 























Welcome 


You use this web site to request a certificate for your web browser, e-mail client, or other 
secure program. Once you acquire a certificate, you will be able to securely identify 
yourself to other people over the web, sign your e-mail messages, encrypt your e-mail 
messages, and more depending upon the type of certificate you request. 


Select a task: 
© Retrieve the CA certificate or certificate revocation list 
@ Request a certificate 
© Check on a pending certificate 








i 
4 


| fas Local intranet 


Figure 49 Web Interface to Certificate Request 


NOTE: Once SSL and the use of certificates are configured 


for your site, clients must access the secure content using 
HTTPS. Clients can communicate with both secure and non- 
te 





secure HTTP servers. However, files and directories 
configured to require SSL would not be passed to clients that 
do not use HTTPS in their URL. 


You al elma \Ur-] e) eaters 
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The IIS web server is configured to support many different common filename extensions, 
which allows it to serve pages using a variety of different application .d1i files (See 
Table 2). Some examples of this include .html, .asp, .shtml and .shtm. Many 
web servers are used only for static pages such as .html, so there is no need for 
including these other mappings. The mappings that the server does not utilize should 
be removed. This will prevent any potential vulnerability in those .d11 files, such 
as buffer overflows, from affecting the security of your web server. 


A good example is the .htr entry. This entry is used to do web-based password resets 
and this is a default mapping. If this functionality is not being used, it should be removed, 
just like all other non-utilized features. If a need arises in the future to add some 
functionality, the mapping can always be added later. 


Here are some references along with their uses: 





Extension Use 














.htr Web-based password resets 
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Table 2 Script Mapping - File Extensions and Uses 


To access the script-mapping screen, open the ISM, right-click the web server and 
choose properties. Select the WWW service, click edit, go to the Home Directory Tab 
and click on Configuration. 


.ide Internet Database Connector 
.stm, .shtm, .shtml Server-side Includes > 
rom 
.printer Internet Printing & 
cer Represents a certificate S 
i @) 
.cdx Active Channel Definition File ap) D> 
; os OO 
.asa Active Server Application Lo 
= 
-htw, ida, .idg Index Server et 
ap) | 
@ 
—s 
ro) 
oO 
no 





WARNING: To prevent the .printer mapping from returning after a 
system reboot: Disable web printing by modifying the Web Based 
Printing policy in the Group Policy snap-in. It is located under Computer 
Configuration-Administrative Templates-Printers. Also, be sure to check 
the domain policy, if the IIS server is accepting policies from a domain. 
To verify, the following key should’ exist if disabled: 
“HKLM\Software\Policies\Microsoft\windows\NT\printers\DisableWebPrin 
ting REG_DWORD 0x1”. 


IPSEC Filtering 


This feature is part of the operating system, but due to its importance it is felt that a brief 
description and recommendation is necessary. First and foremost, your organizational 
policy should dictate ports and services that are and are not allowed. For most DoD 
organizations the policy states all ports not specifically permitted and required for the 
mission are to be denied. Once the operating system is installed and the web server 
configured, filtering out all the ports and allowing only those required is recommended. 
This will help to deter any potential vulnerability against ports and services that are not 
required for the web servers to operate. 


Using the MMC, the IPSEC module can be loaded and configured to block all port access 
with one rule (See Figure 50). For each service or port required additional rules must be 
added to allow communication. 













|| a Console Window Help 
| &ction View Favorites l --> 
Tree | Favorites | 


(|) Console Root 
{& IP Security Policies on Local Machine 












@4 client (Respond Only} Communicate normally (unsecured), Use the default respons 
4 secure Server (Require Security) For all IP traffic, always require security using Kerberos trusl 
4 Server (Request Security) For all IP traffic, always request security using Kerberos trus 


@A web Server 
>| 















Figure 50 IP Security Policies on Local Machine 
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IPSEC Filtering 
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In Figure 51, all ICMP as well as all IP traffic has been blocked and that all the specific 
traffic that is allowed by the server has been permitted. It is important to note that the 
IPSEC traffic filters are not applied sequentially (as seen in the list), the most specific 
filters are applied first. 


Web Server Properties i 2\ x) 


Rules | General | 


= Oy Security rules for communicating with other computers 





IP Security Rules: 


WiWw-80 traffic Permit Kerberos 
SSL-Traffic [443] Permit Kerberos 
SMTP-Traffic (25) Permit Kerberos 
NNTP-Traffic (119) Permit Kerberos 
FTP-Tratffic (21) Permit Kerberos 
AIP Traffic Deny Kerberos 
AILICMP Traffic Deny Kerberos 
O<o ynamic> Default Response Kerberos 


‘ >| 
Edt. | Remove | i Use Add Wizard 





Cancel |) Ape | 


Figure 51 IPSEC Filtering 





This sample configuration blocks all traffic to the web server, except, TCP ports 80 
(WWW), 443 (SSL), 25 (SMTP), 119 (NNTP), and 20-21 (FTP). 


Use caution when implementing IPSEC filtering. Make sure that every service that will be 
required is identified and a filter applied for it. If not, and these rules are implemented, 
those services will not be available to clients. This also includes ports required if the web 
server is participating in a domain. 


Finally, note that use of a firewall or filtering router may also be prudent. For example, if 
the IIS server is a part of a domain it will be necessary to open additional ports on the IIS 
server but those ports should be blocked from access by untrusted networks (e.g., 
Internet). 


The IISLOCK tool identified in Appendix A utilizes IPSEC filtering as part of its lock down. 
Please note the cautions identified in the tools section. 
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IIS Default Samples and Printers 


Disable or Remove All Sample/Printer Applications 




















> 
rom 
2. 
= 
= 
There are several directories and utilities in the default installation of IIS that are & © 
designed to highlight the capabilities of the server, see Table 3: @ a= 
eg 
ah 
ap) | 
Sample Virtual Directory | Location g 
IIS Samples \ISSamples %systemdrive%\inetpub\iissamples o 
n 
IIS documentation \IISHelp %windir%\help\iishelp 
Data Access \MSADC %systemdrive%\program files\common 
files\system\msadc 
Web Printing \printers %systemdrive%\WINNT\web\printers 

















Table 3 Directories and Utilities of Default Installation of IIS Samples 


During the installation of IIS, the administrator had the ability to not install the samples, 
but by default they are selected to be installed. The access to the samples is setup by 
default to only be accessible to the localhost (i.e., 127.0.0.1) via the web browser. Even 
though this is the case it is recommended to remove or disable the samples if and when 
they are no longer required. 


To stop the \printers web page from restoring itself upon reboot, do the following: delete 
the virtual folder in the ISM, open windows explorer, go to %systemdrive%\winnt\web and 
right-click. Choose properties on that folder, remove all entries in the ACL except 
Administrators and SYSTEM. Add the “WebUsers” group, and select the box for “Deny” 
under “Full Control”. Now, whenever the system reboots, the printer web page will not 
automatically restore itself. 


Operating System Directories and Executables 


Remove or Set ACL’s and Auditing on All Problematic Files and Directories 


After the installation of IIS, and the user group memberships have been completed, there 
is a need to lock down access to certain files and directories. To accomplish this, add the 
“WebUsers” group to the ACL of the directory or file (in the windows explorer right-click 
the directory or file, click properties, click the security tab). Next, set that group’s “Full 
Control” access to “Deny”, this will put check marks in all the deny boxes for all the 
different types of access. 


This type of access control will prevent unauthorized persons from gaining access to 
sensitive information or execute programs that allow further system exploitation. By 
hindering the ability to access these files you are extending the protection of the system 
and eluding potential compromise. 


Besides setting ACL’s, auditing of these files is also highly recommended. In the case 
that ACL’s are bypassed (i.e. a buffer overflow causing SYSTEM level access), auditing 
will allow the administrator to identify the illegal file access and restore the system before 
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further compromise is possible. Table 4 shows the recommended the files and directories 
to set ACL’s and auditing for. 





Directories Files Notes 





%systemdrive% (i.e. C:\) 





%systemroot% (i.e. C:\WINNT) ' 





%systemroot%\ Explorer.exe, Regedit.exe, Poledit.exe, 
Taskman.exe 
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%systemroot%\system 
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%systemroot%\debug 








%systemroot%\installer 





*%systemroot%\repair 





%systemroot%\security 





%systemroot%\system32 





%systemroot%\system32 at.exe, cacls.exe, cmd.exe, cscript.exe, 
debug.exe, edlin.exe, finger.exe, ftp.exe, 
nbstat.exe, net.exe, netl.exe, netsh.exe, 


rcp.exe, regedt32.exe, regini.exe, 
regsvr32.exe, rexec.exe, rsh.exe, 
runas.exe, runonce.exe, srvmgr.exe, 


sysedit.exe, telnet.exe, tftp.exe, tracert.exe, 
usrmgr.exe, wscript.exe, xcopy.exe 





%systemroot%\system32\dlicache 





%systemroot%\system32\drivers 





%systemroot%\system32\inetsrv 





%systemroot%\system32\inetsrv issync.exe 





%systemroot%\system32\os2 





%systemroot%\temp 

















Table 4 Directories and Files for Auditing and ACL's 
' Apply to directory only, NOT ALL FILES and SUBDIRECTORIES. 
? Apply to these files. 
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Recommendation Checklist for Chapter 4: 


Move and rename the IIS Log Files directory 


Full Control access to the IIS Log Files directory should be limited to SYSTEM and 
Administrators. 


Q Write, Delete, Change Permissions, and Take Ownership audited for success and failure. 
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Extended Properties 
Q Date 
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Time 

Client IP Address 
Username 

Server IP Address 
Server Port 
Method 

URI Stem 

URI Query 


Protocol Status 
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Time Taken 





Q Referrer 

Remove unnecessary script mappings 
Implement IPSEC filters 

Remove all Sample pages/directories/sites 


Implement ACL’s on operating system directories and files 
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Implement Auditing on operating system directories and file 
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Backup Procedures and Antiviral Precautions 
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This final chapter of the Guide to the Secure Configuration and Administration of 
Microsoft Internet Information Services 5.0 deals with backup procedures and antiviral 
precautions. 
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Backup Procedures 


It is very important to include a disaster recovery policy in your site’s security plan. There 
are several ways to backup the data provided to clients from your server. Automatic 
backups, such as disk mirroring or disk duplexing, where you have a complete copy of 
the server’s hard drive that can go online in the event the primary drive goes down, and 
manual backups. It is recommended that you do not rely on disk mirroring or duplexing 
exclusively. This strategy only protects against a single drive failure. In the event of a 
multiple disk failure, you must have other backups to recover. Here are some things to 
consider when implementing your backup strategy: 


=™ How often does the server content change? 
= How long can your site go without providing services to clients? 


= Members of the Backup Operators group should have special logon accounts 
(additional account used only for backups, example b.username) when performing 
backups. Backup privileges should not be assigned to regular user accounts. 


™ Consider keeping a set of backups offsite in the event of a natural disaster. 


= = =Make a set of backups before and after any maintenance to the web server. This 
includes any software/hardware changes to the system. 


= Itis very important that you make and TEST your backups regularly. 


=™ Make sure that NTFS permissions are intact when a restore is done from a backup. 


NalahVdie-l mea gelela-lan 


There are numerous public sector sources for information on antiviral products. A 
suggested starting point is the International Computer Security Association at 
http://www.ncsa.com. This web page contains a lot of generic information about viral 
solutions and hot links to the major vendors. 


Implement a robust anti-viral program as part of the security policy for the IIS 
environment. 
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IIS 5.0 Security Configuration Tools 








This section will identify some of the available IIS 5.0 security configuration tools. 
Microsoft offers these tools, which assist the user in configuring the security settings of 
their IIS 5.0 web server(s). If this guide has been implemented, then use of these tools is 
not necessary; however, some users may find the tools useful for automating certain 
aspects of IIS security. If using these tools, please note the associated warnings 
applicable to some of the tools and described below. 


IISperms (“What If” Tool) 


82 


lisperms.exe is a downloadable tool from Microsoft that can assist in troubleshooting 
security issues with IIS. This tool is a small graphical web page that allows the choice of 
setup type (not all possibilities available). If the desired setup is not listed, the tool will 
make assumptions and display a small graphic to represent what resources your clients 
can access. See Figure 52: 
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32 TIS Permissions “What If" - Microsoft Internet Explorer 


| File Edit View Favorites Tools Help a ane ye ve SERS Re Ei 
| Back - => + @ i | Qsearch (falFavorites C4History 











| Address fe) D:\Program Files\IISPERMS\iis_permissions.htm =| @Go |Links »| 


Microsoft” 


Internet Information Services 





The Internet Information Services Security "What If" Tool (v1.00.0059) 
By Michael Howard, IIS Security Program Manager (mikehow@microsoft.com) 





This simple tool will help you determine what browsers, platforms, authentication schernes and server 
configurations will allow you to access a remote resource. (Click here for more information.) 
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| Browser: ntemet Explorer 4.x he 
Client OS: Windows 9x, NT3.x, NT4.0 bd 5 
Scenario: nternet x - Rr 
Web Server: [IIS 4 (Windows NT 4.0) Fe emote 
| Resource 
Web Auth Anonymous (with password synch enabled) ¥ 


'Scheme: 
Check | Reset 











Remote 


Browser 
Resource 











Comment: Anonymous auth with password synch cannot delegate credentials to a remote server. Disabling & | 
password synch will enable delegation however. | 
| zd 


| 
ie] Done | | (=) My Computer W 








Figure 52 IISPerms "What If" Tool Interface 


If interested in further information, go to the http://support.microsoft.com site, knowledge 
base article Q229694. 


HISECWEB.INF (Policy Template) 


A self-extracting .exe file called hisecweb.exe can be downloaded from the Microsoft site 
that contains a policy template for securing an IIS 5.0 web server. After downloading and 
extracting the hisecweb.inf file into the %systemroot%\security\templates directory, 
launch the Security Configuration and Analysis tool. Load the hisecweb.inf template 
into the tool and review the default policy settings to see if they match your policy and 
needs. See Figure 53: 
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‘fi Console1 - [Console Root\Security Configuration and Analysis\Local Policies\\Security Options] &§ -/0) x) 
Bh Console Window Help l CD @& |} lal x! 
|| Action Yiew Favorites | ee” fe] | | 2 
Tree | Favorites | 
( Console Root BE) allow server operators to schedule tasks (domain controllers only) — Not defined Not defined 
SI Sp Security Configuration and Analy: PAallow system to be shut down without having to log on Disabled Disabled 
SI fo) Account Policies 2 Allowed to eject removable NTFS media Administrators Administrators 
+] @ Password Policy 83] Amount of idle time required before disconnecting session Not defined 15 minutes 
o} @ Account Lockout Policy (B2) Audit the access of global system objects Not defined Disabled 
= | Local Policies (PY Audit use of Backup and Restore privilege Enabled Enabled 
-<@9 Audit Policy Fe Automatically log off users when logon time expires (local) Enabled Enabled 
#)~<¢J User Rights Assignment ay Clear virtual memory pagefile when system shuts down Enabled Enabled 
G1 eg9 Security Options 2) Diaitally sign client communication (always) Not defined Enabled 
A a Event Log PYDiaitally sign client communication (when possible) Enabled Enabled 
a Ei) Settings For Event Logs (Re) Digitally sign server communication (always) Not defined Enabled 
{GQ Restricted Groups fo bays ication (wh ile) Enabled Enabled 
9 System Services pe ig ally sign server communication (when possible’ na le nal le 
09 Registry PYpisable CTRL+ALT+DEL requirement For logon Disabled Disabled 
4 we CLASSES ROOT eA Do not display last user name in logon screen Enabled Enabled 
a] M CHINE. RYLaN Manager Authentication Level SendLM&NTLM-u,.. Send NTLMv2 response onlyrefuse 
ry | USERS Bg Message text for users attempting to log on This is a private co,., This is a private computer a 
4 » 








Figure 53 HISECWEB.inf MMC Policy Snap-In 


Once policy changes are made, right-click the Security Configuration and Analysis tool 
and choose Analyze Computer Now from the context menu. The system will check the 
system configuration against the ones identified in the policy. When the configuration 
check is complete, a screen like Figure 53 will appear. For each area, a list of current 
system settings and selected settings is generated. A red X identifies where the policies 
differ. A green check identifies where they are correct. 


To apply the template, right-click the Security Configuration and Analysis tool and choose 
Configure Computer Now from the context menu. The system will go through and set the 
system according to the policy just identified. IPSEC policies will not be set using this tool 
and must be considered separately. It is recommended that all ports be blocked and only 
those necessary be added. There are many web security tasks that this tool will not do, 
some of them are: not set ACL’s on your files or directories in NTFS, it will not set 
permissions on the files, directories or sites in IIS 5.0, it will not remove sample files (refer 
to chapter 4) and it will not move content directories from the default. All of these will still 
need to be done by the administrator as recommend in the prior sections of this guide. 


Although this tool can be very valuable, if the Windows 2000 Security Guide will be 
implemented, do NOT implement this policy without modification. The changes will 
override some of the settings the OS guide invoked. Compare the OS guide and your 
organization policy to this policy and make the necessary changes to possibly utilize a 
combination of both. If the OS guide will not be implemented, or a combination, the use of 
this policy configuration is recommended. If this tool is to be utilized it is recommended 
that this tool be used during the initial configuration of the web server. Please make sure 
that before use, web server installation and configuration plan is available and the 
administrator is knowledgeable of how to make policy changes and implement policy. 

WARNING: it is critical to have a backup of the system 

before implementing this policy. Also, utilizing another 

registry and system change software (i.e. configsafe) is 


recommended in case the user needs to quickly reverse the 
changes made. The policy cannot be automatically reversed. 
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IISLock (Windows 2000 Internet Server Security Configuration Tool) 


The third tool is the IISLock utility. This is similar to the hisecweb utility, but it adds more 
features for configuration. In fact, this tool includes the use of the hisecweb.inf policy to 
implement some of the necessary changes. The documentation of this tool states, “The 
general philosophy of this tool is to lock down everything except that which is required by 
the Internet Server.” The tool provides an HTML interface to obtain information about the 
intended use of the web server. Based upon the answers, a policy template will be built 
that can be implemented via a command line program. See Figure 54: 
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4 Windows 2000 Internet Server Configration Tool - Microsoft Internet Explorer & a =/5) x} 
| a on a eae ares aaa - 3 Ea 
| eek ~ > ~ @ a @Qsearch [GFavorites CBuistory | BS & 

| Address é) D:\Program Files\IISlock\Tool\DataEntry\Default htm | @Go || tinks os 














Remotely administer this computer using Windows Networking. 

Remotely administer this computer over the Web. 

Use this server as a File Transfer Protocol server (FTP) 

Use this server as an Internet email server (SMTP, POP3) 

Use this computer as an Internet news (NNTP) server 

Use Secure Sockets Layer/Transport Layer Security (SSL/TLS) on this server 


D About and Legal Notice Use this computer as Telnet server 
Allow files other than static files (txt, .html, .gif etc) and Active Server Pages to be served. 
I & Use Internet Printing 
 & Use Server Side Includes (SSI) 
I & Change Windows passwords over the Web 
M & Use Index Server with IIS 
[ <f Keep the Web sarnples 


Template Name: {iS Template tt Create Template | 


| | je} My Computer 








Figure 54 IISLock Web Interface Tool 


This policy includes the IP Security Policy Management snap-in, which blocks all ports, 
except those identified for use, WHICH IS HIGHLY RECOMMENDED. It also modifies 
the script maps to avoid several other vulnerabilities. If your server participates in a 
domain, the ports need to be identified, which are required for IIS server communication 
to the domain controllers and other resources that are tied to the web server. Without 
permitting those communications using the IP Security Policy Management snap-in, all 
those communications will be blocked. 


Once choices are selected, give the template a name and press the Create Template 
button. Next, from a command prompt, in the directory where the iissecuritywiz.dll file 
was installed, type “regsvr32 iissecuritywiz.dll” and press enter. This will register a COM+ 
component to allow service manipulation and administrative checks. Once completed, 
run the IISConfig command on the command line and use the necessary flags to properly 
set your site information (i.e. IISConfig —s myserver —f C:\temp\IISTemplate.txt —d) 
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WARNING: It is critical to have a backup of the system 
before implementing this policy. Also, utilizing another 
registry and system change software (i.e., configsafe) is 
recommended in case the user needs to quickly reverse the 
changes made. The policy cannot be automatically reversed. 


A copy of the tool can be downloaded from either of the following URLs 


http://www.microsoft.com/Downloads/Release.asp?ReleaselD=19889 





http://www.microsoft.com/WINDOWS2000/news/bulletins/iistool.as 





Although this tool can be very valuable, if the Windows 2000 Security Guide will be 
implemented, do NOT implement this tool without modification of the policy it uses. The 
changes will override some of the settings that this and the OS guide have changed. 
Compare this IIS 5.0 guide, the OS guide and your organization policy to this policy and 
make the necessary changes to possibly utilize a combination of both. If the OS guide will 
not be implemented, or a combination, the use of this configuration tool is recommended. 
If this tool is to be utilized, it is recommended that this tool be used during the initial 
configuration of the web server due to the leniency toward the security of the server. 
Please make sure that before use, the web server installation and configuration plan are 
available and the administrator is knowledgeable of how to make policy changes, 
implement policy changes and block/unblock ports using the IP Security Policy 
Management snap-in. 


UNCLASSIFIED 


UNCLASSIFIED 


This Page Intentionally Left Blank 


UNCLASSIFIED 


87 


7p) 
a 
= 
| = 
re) 
M 
— 
2x oO 
lem 
a) 
ro) 
o> 
ome 
a 
ro) 
Cc 
wa 





B 





Known Vulnerabilities 


Some of the descriptions provided below were taken from various Microsoft Bulletins and are noted as 
such. IIS administrators should always check for hot fixes/patches and install them as necessary, along 
with the latest service pack available from Microsoft. Available patches can be found at the Microsoft 
Support Center at http://support.microsoft.com 


IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-019 





Vulnerability: Virtualized UNC Share 











Date March 30, 2000 

Summary Under certain fairly unusual conditions, the vulnerability could cause a 
web server to send the source code of .ASP and other files to a visiting 
user. 

Scope The vulnerability could cause the source code of certain types of files to 


be sent from a web server to a visiting user's browser. It would not 
enable a malicious user to change the files on a server or take any other 
administrative action on it. The vulnerability only occurs under very 
specific, and fairly unusual, conditions. The file must reside on a different 
machine from the web server, and the visitor must malform the request 
by adding certain invalid characters to the end of it. 





Concern If a virtual directory on an IIS server is mapped to a UNC share, and a 
request for a file in the directory contains one of several particular 
characters at the end, the expected ISAPI extension processing may not 
occur. The result is that the source code of the file would be sent to the 








browser. 
Patch Availability Http://www. microsoft.com/downloads/release.asp?ReleaselD=19982 
Affected Software Microsoft Internet Information Server 4.0 and 5.0 


Microsoft Proxy Server 2.0 
Microsoft Site Server and Site Server, Commerce Edition 3.0 
Microsoft Commercial Internet System 2.0 and 2.5 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-023 





Vulnerability: Myriad Escaped Characters 














Date April 12, 2000 

Summary The vulnerability could allow a malicious user to slow a web server's 
response or prevent it from providing service altogether for a period of 
time. 

Scope This is a denial of service vulnerability. If a malicious user requested a 
file from a web server via a specially-malformed URL, the server could 
become unresponsive for some period of time. 

Concern Special characters can be embedded in URLs by use of so-called 


escaped character sequences. By providing a specially-malformed URL 
with an extremely large number of escaped characters, a malicious user 
could arbitrarily increase the work factor associated with parsing the 
escaped characters, thereby consuming much or all of the CPU 
availability on the server and preventing useful work from being done. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=20286 





Affected Software 


Microsoft Internet Information Server 4.0 
Microsoft Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-030 





Vulnerability: Malformed Extension Data in URL 











Date May 11, 2000 

Summary The vulnerability could be used to slow the performance of an affected 
server, or temporarily stop it altogether. 

Scope This is a denial of service vulnerability. If a malicious user requested a 
file from a web server via an URL containing specially-malformed file 
extension data, the server could become unresponsive for some period 
of time. 

Concern 





In compliance with RFC 2396, the algorithm in IIS that processes URLs 
has flexibility built in to allow it to process any arbitrary sequence of file 
extensions or subresource identifiers (referred to in the RFC as 
path_segments). By providing an URL that contains specially- 
malformed file extension information, a malicious user could misuse 
this flexibility in order to arbitrarily increase the work factor associated 
with parsing the URL. This could consume much or all of the CPU 
availability on the server and prevent useful work from being done. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=20904 





Affected Software 


Microsoft Internet Information Server 4.0 
Microsoft Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-031 





Vulnerability: Undelimited .HTR Request and File Fragment Reading via .HTR 





Date 


July 17, 2000 





Summary 


The vulnerabilities could, respectively, be used to slow an affected web 
server's response or to obtain the source code of certain types of files 
under very restricted conditions. 





Scope 


There are two vulnerabilities here. The first, the "Undelimited .HTR 
Request" vulnerability, is a denial of service vulnerability that could be 
used to prevent an affected web server from providing useful service. 
The second, the "File Fragment Reading via .HTR" vulnerability could 
allow certain types of files to be read from the server under very unusual 
conditions 





Concern 


This patch eliminates two security vulnerabilities that are unrelated 
except by virtue of the fact that both exist in the ISAPI extension that 
provides web-based password administration via .HTR scripts. 


The "Undelimited .HTR Request" vulnerability is a denial of service 
vulnerability. If a malicious user provided a password change request 
that was missing an expected delimiter, the algorithm would conduct an 
unbounded search. This would prevent it from servicing additional .HTR 
requests, and could also slow the overall response of the server. 


The ".HTR File Fragment Reading" vulnerability could allow fragments of 
certain types of files to be read by providing a malformed request that 
would cause the .HTR processing to be applied to them. However, the 
vulnerability could only be exploited under extremely restrictive 
conditions, and the most valuable data in the files would be the least 
likely to actually appear in the fragments sent to the user. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=22708 





Affected Software 


Internet Information Server 4.0 
Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-044 





Vulnerability: Absent Directory Browser Argument 





Date 


July 14, 2000 





Summary 


The vulnerabilities could allow a malicious user to stop the web server 
from providing useful service, or to extract certain types of information 
from it. 





Scope 


This is a denial of service vulnerability. A malicious user could exploit 
this vulnerability to prevent an IIS server from providing useful service. In 
addition, it could allow a malicious user to view the directory structure on 
the web server. The vulnerability only affects IIS 4.0 or IIS 5.0 machines 
that have been upgraded from IIS 3.0. 





Concern 


The “Absent Directory Browser Argument” vulnerability. An 
administrative script installed as part of IIS 3.0 but preserved on upgrade 
to IIS 4.0 or IIS 5.0 does not correctly handle the case where an 
expected argument is missing. The absence of the argument causes the 
script to go into an infinite loop, at which point the script consumes all 
CPU resources on the server. In addition, the permissions on this tool 
and several related ones, which were appropriate under IIS 3.0, are 
inappropriate under IIS 4.0 and 5.0. This could allow web site visitors to 
use these tools, which provide the ability to view the directory structure 
on the server. 


A new variant on the “File Fragment Reading via .HTR” vulnerability. 
The original version of this vulnerability was discussed in Microsoft 
Security Bulletin MS00-031. The new vulnerability differs only in the 
specific way that it could be exploited — like the original version, the 
effect of the vulnerability is that fragments of ASP and other files could 
potentially be retrieved from the server. As in the original version, the 
mechanics of the new variant make it likely that the parts of an .ASP file 
most interesting to a malicious user would be stripped out. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=22708 





Affected Software 


Microsoft Internet Information Server 4.0 
Microsoft Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-057 





Vulnerability: File Permission Canonicalization 














Date August 10, 2000 

Summary Under very restricted conditions, the vulnerability could allow a malicious 
user to gain additional permissions to certain types of files hosted on a 
web server. 

Scope 

Concern A canonicalization error can, under certain conditions, cause IIS 4.0 or 5.0 


to apply incorrect permissions to certain types of files. If an affected file 
residing in a folder with restrictive permissions were requested via a 
particular type of malformed URL, the permissions actually used would be 
those of a folder in the file's parentage chain, but not those of the folder 
the file actually resides in. If the ancestor folder's permissions were more 
permissive than those of the correct folder, the malicious user would gain 
additional privileges to the affected file. 





Patch Availability 


Microsoft Internet Information Server 5.0: 
http://www. microsoft.com/Downloads/Release.asp?ReleaselD=3D23665 





Affected Software 


Microsoft Internet Information Server 4.0 
Microsoft Internet Information Server 5.0 








Notes/Recommended 
Changes 
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11S 5.0 Vulnerability 


MS Security Bulletin 


MS 00-058 





Vulnerability: Specialized Header 





August 14, 2000 





Under certain conditions, the vulnerability could cause a web server to send the 
source code of certain types of web files to a visiting user. 
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ncern If an IIS server receives a file request that contains a specialized header as well as 
one of several particular characters at the end, the expected ISAPI extension 


processing may not occur. The result is that the source code of the file would be 
sent to the browser. 














Bitch Availability http://www.microsoft.com/Downloads/Release.asp?ReleaselD=23769 
Affected Software Microsoft Internet Information Server 5.0 
Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-060 





Vulnerability: IIS Cross-Site Scripting 














Date August 25, 2000 

Summary The vulnerabilities could allow a malicious web site operator to misuse 
another web site as a means of attacking users. 

Scope 

Concern This vulnerability, known as Cross-Site Scripting (CSS), results when web 


applications don't properly validate inputs before using them in dynamic web 
pages. If a malicious web site operator were able to lure a user to his site, 
and had identified a third-party web site that was vulnerable to CSS, he 
could potentially use the vulnerability to "inject" script into a web page 
created by the other web site, which would then be delivered to the user. 
The net effect would be to cause the malicious user's script to run on the 
user's machine using the trust afforded the other site. 


The vulnerability can affect any software that runs on a web server, accepts 
user input, and blindly uses it to generate web pages. 





Patch Availability 


Internet Information Server 5.0: 
http://www. microsoft.com/Downloads/Release.asp?ReleaselD=23999 





Affected Software 


Microsoft Internet Information Server 4.0 
Microsoft Internet Information Server 5.0 








Notes/Recommended 
Changes 











UNCLASSIFIED v2 


~ 
=| 
fe) 
= 
= | 
< 
= 
5 
@O 
=“ 
a) 
c. 
=a 
i) 
n 


— g xIpueddy 





7p) 
Oo 
= 
— 
ie) 
M 
—_ 
2 oO 
coms 
a) 
ro) 
o> 
ome 
a 
ro) 
Cc 
wa 





IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-060Re-Release 





Vulnerability: IIS Cross-Site Scripting 





Date 


November 2, 2000 





Summary 


The new vulnerability is exactly the same as that of the originally- 
reported one. The updated patch eliminates all known variants of the 
vulnerability. Customers who applied the original version of the patch 
should apply the new version to ensure that they are fully protected. 





Scope 


The original vulnerability and the new variant have exactly the same 
scope. Both vulnerabilities could enable a malicious user to cause code 
to run on the machine of another user in the guise of a third-party web 
site. Such code could take any action on the user's computer that the 
third-party web site was permitted to take. In addition, the code could be 
made persistent, so that if the user returned to the web site again in the 
future, the code would begin running again. 





Concern 


If a malicious web site operator were able to lure a user to his site, and 
had identified a third-party web site that was vulnerable to CSS, he could 
potentially use the vulnerability to "inject" script into a web page created 
by the other web site, which would then be delivered to the user. The net 
effect would be to cause the malicious user's script to run on the user's 
machine using the trust afforded the other site. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=25533 





Affected Software 


Microsoft Internet Information Server 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-078 





Vulnerability: Web Server Folder Traversal 





Date 


October 17, 2000 





Summary 


The vulnerability could potentially allow a visitor to a web site to take a 
wide range of destructive actions against it, including running programs 
on it. 





Scope 


This vulnerability would enable a malicious user to cause code of his 
choice to execute on an affected web server. The specific code he could 
run would be limited by the specific server configuration, but in most 
cases, it would be possible for the malicious user to execute any code 
that a user logged into the server interactively could run. This would give 
him the ability to install and run code, add, change or delete files or web 
pages, or take other actions. 





Concern 


Due to a canonicalization error in IIS 4.0 and 5.0, a particular type of 
malformed URL could be used to access files and folders that lie 
anywhere on the logical drive that contains the web folders. This would 
potentially enable a malicious user who visited the web site to gain 
additional privileges on the machine - specifically, it could be used to 
gain privileges commensurate with those of a locally logged-on user. 
Gaining these permissions would enable the malicious user to add, 
change or delete data, run code already on the server, or upload new 
code to the server and run it. 





Patch Availability 


Hitp://www.microsoft.com/windows2000/downloads/critical/q269862 





Affected Software 


Microsoft Internet Information Server 5.0 








Notes/Recommended 
Changes 











UNCLASSIFIED 


97 


~ 
= 
ie) 
= 
=) 
< 
= 
=] 
@O 
= 
ie) 
o 
= 
@O 
” 


— g xIpueddy 





7p) 
a 
= 
|= 
ie) 
M oc 
— 
2 Oo 
coms 
a) 
rob) 
o> 
ome 
a 
ro) 
Cc 
wa 





IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-080 





Vulnerability: Session ID Cookie Marking 





Date 


October 23, 2000 





Summary 


The vulnerability could allow a malicious user to "hijack" another user's 
secure web session. 





Scope 


This vulnerability could, under very restricted conditions, enable a 
malicious use to “hijack” another user’s secure web session. That is, it 
could allow the malicious user to connect to another user's existing 
session with a secure web page, and would allow him to take action on 
the other user’s behalf, such as placing orders or viewing personal 
information. 





Concern 


IIS supports the use of a Session ID cookie to track the current session 
identifier for a web session. However, .ASP in IIS does not support the 
creation of secure Session ID cookies as defined in RFC 2109. As a 
result, secure and non-secure pages on the same web site use the 
same Session ID. If a user initiated a session with a secure web page, a 
Session ID cookie would be generated and sent to the user, protected 
by SSL. But if the user subsequently visited a non-secure page on the 
same site, the same Session ID cookie would be exchanged, this time in 
plaintext. If a malicious user had complete control over the 
communications channel, he could read the plaintext Session ID cookie 
and use it to connect to the user’s session with the secure page. At that 
point, he could take any action on the secure page that the user could 
take. 





Patch Availability 


Http://www. microsoft.com/Windows2000/downloads/critical/q2741 49 





Affected Software 


Microsoft Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-080Re-Release 





Vulnerability: Session ID Cookie Marking 





Date 


November 20, 2000 





Summary 


The vulnerability could allow a malicious user to "hijack" another user's 
secure web session, under a very restricted set of circumstances. New 
versions of these patch are available, to correct an error in the original 
version of the patch. 





Scope 


This vulnerability could, under very restricted conditions, enable a 
malicious use to “hijack” another user’s secure web session. That is, it 
could allow the malicious user to connect to another user’s existing 
session with a secure web page, and would allow him to take action on 
the other user’s behalf, such as placing orders or viewing personal 
information 





Concern 


IIS supports the use of a Session ID cookie to track the current session 
identifier for a web session. However, .ASP in IIS does not support the 
creation of secure Session ID cookies as defined in RFC 2109. As a 
result, secure and non-secure pages on the same web site use the 
same Session ID. If a user initiated a session with a secure web page, a 
Session ID cookie would be generated and sent to the user, protected 
by SSL. But if the user subsequently visited a non-secure page on the 
same site, the same Session ID cookie would be exchanged, this time in 
plaintext. If a malicious user had complete control over the 
communications channel, he could read the plaintext Session ID cookie 
and use it to connect to the user’s session with the secure page. At that 
point, he could take any action on the secure page that the user could 
take. 





Patch Availability 


Http://www. microsoft.com/Windows2000/downloads/critical/q2741 49 





Affected Software 


Microsoft Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-086 





Vulnerability: Web Server File Request Parsing 











Date November 6, 2000 

Summary The vulnerability could enable a malicious user to run operating system 
commands on a web server. 

Scope This vulnerability would enable a malicious user to execute operating 
system commands on an affected web server. This would give him the 
ability to modify web pages, add, change or delete files, reformat the 
hard drive, or take other actions -- including uploading code of his choice 
to the server and executing it. 

Concern 





When IIS receives a valid request for an executable file, it passes the 
name of the requested file to the underlying operating system for 
processing. However, due to an implementation flaw, it is possible to 
create a specially-malformed file request that contains both a file name 
and one or more operating system commands. Upon receiving such a 
request, IIS would pass the entire string to the operating system, which 
would first process the file and then execute the commands. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=25547 





Affected Software 


Microsoft Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-086Re-Release 





Vulnerability: Web Server File Request Parsing 














Date November 30, 2000 

Summary The vulnerability could enable a malicious user to run operating system 
commands on a web server. 

Scope This vulnerability would enable a malicious user to execute operating 
system commands on an affected web server. This would give him the 
ability to modify web pages, add, change or delete files, reformat the 
hard drive, or take other actions -- including uploading code of his choice 
to the server and executing it. 

Concern Regression error in IIS 5.0 patch re-exposes previous vulnerability. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=25547 





Affected Software 


IIS 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 00-086Update 





Vulnerability: Web Server File Request Parsing 











Date November 21, 2000 

Summary The vulnerability could enable a malicious user to run operating system 
commands on a web server. 

Scope This vulnerability would enable a malicious user to execute operating 
system commands on an affected web server. This would give him the 
ability to modify web pages, add, change or delete files, reformat the 
hard drive, or take other actions -- including uploading code of his choice 
to the server and executing it. 

Concern 





When IIS receives a valid request for an executable file, it passes the 
name of the requested file to the underlying operating system for 
processing. However, due to an implementation flaw, it is possible to 
create a specially-malformed file request that contains both a file name 
and one or more operating system commands. Upon receiving such a 
request, IIS would pass the entire string to the operating system, which 
would first process the file and then execute the commands. 





Patch Availability 


http://www. microsoft.com/Windows2000/downloads/critical/q277873 





Affected Software 


Microsoft Internet Information Services 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 














MS 00-100 a 
re) 
7 ar => 
Vulnerability: Web Form Submission DoS =) B= 
<0 
Date December 22, 2000 = A 
oe 
Summary The vulnerability could potentially allow an attacker to prevent an = Ww 
affected web server from providing useful service. = | 
Scope This is a denial of service vulnerability. By sending a specially- 2 


malformed form submission to an affected server, it would be possible 
for a malicious user to disrupt the server’s operation. 








Concern The FrontPage Server Extensions (FPSE) ship with and are installed by 
default as part of IIS 4.0 and 5.0. The most familiar FPSE functions allow 
web site and content management; however, FPSE also provides 
browse-time support functions. Among the functions included in the 
latter category are ones that help process web forms that have been 
submitted by a user. A vulnerability exists in one of these functions. If a 
malicious user levied a specially-malformed form submission to an 
affected server, it would cause the IIS service to fail. 




















Patch Availability Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=26277 
Affected Software IIS 5.0 with FPSE 

Notes/Recommended 

Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 01-004 





Vulnerability: File Fragment Reading via .HTR 





Date 


January 29, 2001 





Summary 


Information disclosure 





Scope 


This vulnerability is a new variant of the “File Fragment Reading via 
-HTR” vulnerability discussed in Microsoft Security Bulletins MS00-031 
and MS00-044. The scope of the new variant is exactly the same as that 
of the previous ones: it could enable an attacker to read certain parts of 
certain files on a web server. However, as in the original version of the 
vulnerability, the vulnerability would not enable the attacker to add, 
change or delete files. 





Concern 


.ASP files are the best example of a server-side file type, so called 
because they’re intended to be processed on the server, rather than on 
the web client. When a web client requests an .ASP file, it’s processed 
on the server (by an ISAPI extension) and the results — not the source 
code — should be sent to the requester. This vulnerability poses a 
security risk because, by enabling an attacker to obtain fragments of 
.ASP source code, it’s possible that the attacker could harvest sensitive 
data from them. 





Patch Availability 


Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=27491 





Affected Software 


IIS 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 














MS 01-014 a 
re) 
a ; ; ; => 
Vulnerability: Malformed URL can cause Service Failure in IIS 5.0 =| S 
<0 
Date March 1, 2001 =2 
ox 
Summary Denial of service = WW 
Scope It could enable an attacker to temporarily disrupt service on an affected = 
0) 
n 


web, or to temporarily disrupt web-based access to an affected mail 
server. Although the server in either case would automatically resume 
normal operation, any sessions in progress at the time of the attack 
would be lost. 








Concern IIS 5.0 contains a flaw affecting the way that an URL is handled if it has 
a specific construction and its length is within a very narrow range of 
values. If such an URL were repeatedly sent to an affected system, a 
confluence of events could cause a memory allocation error that would 
result in the failure of the IIS service. 




















Patch Availability Hitp://www.microsoft.com/Downloads/Release.asp?ReleaselD=28155 
Affected Software IIS 5.0 

Notes/Recommended 

Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 01-016 





Vulnerability: Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources 














Date March 8, 2001 

Summary Denial of service 

Scope If an attacker exploited this vulnerability against an affected server, she 
could temporarily prevent it from providing web services. The effect of an 
attack via this vulnerability would only last as long as a continuous 
stream of requests was directed at an affected server, after which point 
normal service would automatically resume. 

Concern WebDAV is an extension to the HTTP protocol that allows remote 


authoring and management of web content. In the Windows 2000 
implementation of the protocol, IIS 5.0 performs initial processing of all 
WebDAV requests, then forwards the appropriate commands to the 
WebDAV process. However, a flaw exists in the way WebDAV handles a 
particular type of malformed request. If a stream of such requests were 
directed at an affected server, it would consume all CPU availability on 
the server. 





Patch Availability 


http://www. microsoft.com/Downloads/Release.asp?ReleaselD=28564 





Affected Software 


IS 5.0 








Notes/Recommended 
Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 














MS 01-023 a 
2 > 
Vulnerability: Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server mee 
<0 
Date May 1, 2001 Sa 
oe 
Summary Run code of attacker’s choice in system context. = WO 
Scope This is a buffer overrun vulnerability. While buffer overrun vulnerabilities = 
© 
7) 


typically are serious, this one poses an even greater threat than usual, 
for two reasons: 


1. Under default conditions, it could be exploited by an attacker on the 
Internet. 





2. It could enable an attacker to gain complete control over an affected 
web server. This would enable her to take any desired action, including 
installing and running programs; reconfiguring the server; adding, 
changing or deleting files and web pages; or taking other actions. 





Concern Windows 2000 introduced native support for the Internet Printing 
Protocol (IPP), an industry-standard protocol for submitting and 
controlling print jobs over HTTP. The protocol is implemented in 
Windows 2000 via an ISAPI extension that is installed by default as part 
of Windows 2000 but which can only be accessed via IIS 5.0. 


A security vulnerability results because the ISAPI extension contains an 
unchecked buffer in a section of code that handles input parameters. 
This could enable a remote attacker to conduct a buffer overrun attack 
and cause code of her choice to run on the server. Such code would run 
in the Local System security context. This would give the attacker 
complete control of the server, and would enable her to take virtually any 
action she chose. 


The attacker could exploit the vulnerability against any server with which 
she could conduct a web session. No other services would need to be 
available, and only port 80 (HTTP) or 443 (HTTPS) would need to be 








open. 
Patch Availability Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=29321 
Affected Software Microsoft Windows 2000 Professional 


Microsoft Windows 2000 Server 
Microsoft Windows 2000 Advanced Server 
Microsoft Windows 2000 Datacenter Server 








Notes/Recommended | Two Factors Control Whether The Internet Printing Isapi Extension Is 
Changes Mapped And Enabled: The Settings In The Internet Services Manager, 
And Group Policy. By Default, Internet Printing Isn't Configured In Either 
Domain Or Local Group Policy. However, If Internet Printing Has Been 
Configured In Group Policy -- Either To Enable Or Disable It -- The 
Group Policy Settings Will Override Those Made Via The Internet 
Services Manager. 
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To Disable Internet Printing In Group Policy, Follow These Steps: 


1. Launch The Microsoft Management Console And Load The Snap-In 
For Group Policy 

2. Select Computer Configuration, Then Administrative Templates, Then 
Printers. 

3. Check The Setting For Web-Based Printing. By Default, It Is Not 
Configured. If It ls Enabled, Disable It. 


Alternatively, You Can Disable It By Setting The Following Registry 
Value To A Dword Value Of 0x1: 
HkIm\Software\Policies\Microsoft\Windows 
Nit\Printers\Disablewebprinting 
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IIS 5.0 Vulnerability 


MS Security Bulletin 














MS 01-026 a 
2> 
Vulnerability: Superfluous Decoding Operation Could Allow Command Execution via IIS mee 
<0 
Date May 14, 2001 Sa 
ox 
Summary This patch addresses three newly-discovered vulnerabilities and = WO 
includes virtually all previously released patches for IIS 4.0 and IIS 5.0. = 

Scope Vulnerability 1: This vulnerability would enable a malicious user to 2 


execute operating system commands on an affected web server. This 
would give him the ability to modify web pages, add, change or delete 
files, reformat the hard drive, or take other actions -- including uploading 
code of his choice to the server and executing it. 





Vulnerability 2: The second vulnerability is a denial of service 
vulnerability. By entering a particular type of invalid command within an 
FTP session, an attacker could cause all web services on the server to 
fail. 


Vulnerability 3: The third vulnerability is an information disclosure 
vulnerability. It would not give an attacker a way to do anything he 
couldn’t already do, but it would make it easier for him to exploit a 
misconfigured network. In the worst case, the vulnerability could assist 
an attacker in gaining access to a domain account. 























Concern 

Patch Availability Http://www. microsoft.com/Downloads/Release.asp?ReleaselD=29764 
Affected Software Microsoft Internet Information Services 5.0 

Notes/Recommended 

Changes 
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IIS 5.0 Vulnerability 


MS Security Bulletin 


MS 01-033 





Vulnerability: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server 


Compromise 





Date 


June 18, 2001 





Summary 


A security vulnerability results because idq.dll contains an unchecked 
buffer in a section of code that handles input URLs. An attacker who 
could establish a web session could conduct a buffer overrun attack and 
execute code on the web server. 





Scope 


This is a buffer overrun vulnerability. An attacker who successfully 
exploited this vulnerability could gain complete control over an affected 
web server. This would give the attacker the ability to take any desired 
action on the server, including changing web pages, reformatting the 
hard drive or adding new users to the local administrators group. 





Concern 


The buffer overrun occurs before any indexing functionality is requested. 
As a result, even though idq.dll is a component of Index Server/Indexing 
Service, the service would not need to be running in order for an 
attacker to exploit the vulnerability. As long as the script mapping for .idq 
or .ida files were present, and the attacker were able to establish a web 
session, he could exploit the vulnerability. 





Patch Availability 


Windows 2000 Professional, Server and Advanced Server: 
http://www. microsoft.com/Downloads/Release.asp?ReleaselD=30800 


Windows 2000 Datacenter Server: 
Patches for Windows 2000 Datacenter Server are hardware-specific and 
available from the original equipment manufacturer. 





Affected Software 


Microsoft Index Server 2.0 


Indexing Service in Windows 2000 








Notes/Recommended 
Changes 
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